Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-mt1s-vhfk-5bda
Vulnerability ID VCID-mt1s-vhfk-5bda
Aliases CVE-2026-27459
GHSA-5pwr-322w-8jr4
Summary pyOpenSSL DTLS cookie callback buffer overflow If a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Cookie values that are too long are now rejected.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27459.json
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.0002 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.00022 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
epss 0.00026 https://api.first.org/data/v1/epss?cve=CVE-2026-27459
cvssv3.1 7 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-5pwr-322w-8jr4
cvssv4 7.2 https://github.com/pyca/pyopenssl
generic_textual HIGH https://github.com/pyca/pyopenssl
cvssv4 7.2 https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst
generic_textual HIGH https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst
ssvc Track https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst
cvssv4 7.2 https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408
generic_textual HIGH https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408
ssvc Track https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408
cvssv3.1_qr HIGH https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4
cvssv4 7.2 https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4
generic_textual HIGH https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4
ssvc Track https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4
cvssv4 7.2 https://nvd.nist.gov/vuln/detail/CVE-2026-27459
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-27459
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27459.json
https://api.first.org/data/v1/epss?cve=CVE-2026-27459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27459
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pyca/pyopenssl
https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst
https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408
https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4
https://nvd.nist.gov/vuln/detail/CVE-2026-27459
2448503 https://bugzilla.redhat.com/show_bug.cgi?id=2448503
GHSA-5pwr-322w-8jr4 https://github.com/advisories/GHSA-5pwr-322w-8jr4
RHSA-2026:10754 https://access.redhat.com/errata/RHSA-2026:10754
RHSA-2026:11856 https://access.redhat.com/errata/RHSA-2026:11856
RHSA-2026:11916 https://access.redhat.com/errata/RHSA-2026:11916
RHSA-2026:11996 https://access.redhat.com/errata/RHSA-2026:11996
RHSA-2026:13508 https://access.redhat.com/errata/RHSA-2026:13508
RHSA-2026:13512 https://access.redhat.com/errata/RHSA-2026:13512
RHSA-2026:13545 https://access.redhat.com/errata/RHSA-2026:13545
RHSA-2026:13553 https://access.redhat.com/errata/RHSA-2026:13553
RHSA-2026:7224 https://access.redhat.com/errata/RHSA-2026:7224
RHSA-2026:8437 https://access.redhat.com/errata/RHSA-2026:8437
USN-8115-1 https://usn.ubuntu.com/8115-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27459.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/pyca/pyopenssl
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T19:52:08Z/ Found at https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T19:52:08Z/ Found at https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T19:52:08Z/ Found at https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27459
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.05292
EPSS Score 0.0002
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:53:50.713076+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5pwr-322w-8jr4/GHSA-5pwr-322w-8jr4.json 38.0.0