Search for vulnerabilities
Vulnerability details: VCID-s16a-spa1-pubx
Vulnerability ID VCID-s16a-spa1-pubx
Aliases CGA-f4qg-9fw4-8247
CVE-2024-26130
GHSA-6vqw-3v5j-54x4
PYSEC-2024-225
Summary cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-476 NULL Pointer Dereference
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26130.json
epss 0.00236 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00236 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00236 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00257 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00264 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00351 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00351 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00351 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00351 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00351 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00351 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00351 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00351 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss 0.00351 https://api.first.org/data/v1/epss?cve=CVE-2024-26130
cvssv3.1 6.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-6vqw-3v5j-54x4
cvssv3.1 7.5 https://github.com/pyca/cryptography
generic_textual HIGH https://github.com/pyca/cryptography
cvssv3.1 7.5 https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
generic_textual HIGH https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
ssvc Track https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
cvssv3.1 7.5 https://github.com/pyca/cryptography/pull/10423
generic_textual HIGH https://github.com/pyca/cryptography/pull/10423
ssvc Track https://github.com/pyca/cryptography/pull/10423
cvssv3.1 7.5 https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
cvssv3.1_qr HIGH https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
generic_textual HIGH https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
ssvc Track https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2024-26130
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2024-26130
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26130.json
https://api.first.org/data/v1/epss?cve=CVE-2024-26130
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pyca/cryptography
https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
https://github.com/pyca/cryptography/pull/10423
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
https://nvd.nist.gov/vuln/detail/CVE-2024-26130
1064778 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064778
2269617 https://bugzilla.redhat.com/show_bug.cgi?id=2269617
cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:*
GHSA-6vqw-3v5j-54x4 https://github.com/advisories/GHSA-6vqw-3v5j-54x4
RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
RHSA-2024:7987 https://access.redhat.com/errata/RHSA-2024:7987
RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335
RHSA-2025:15608 https://access.redhat.com/errata/RHSA-2025:15608
USN-6673-1 https://usn.ubuntu.com/6673-1/
USN-6673-3 https://usn.ubuntu.com/6673-3/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26130.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-14T19:56:07Z/ Found at https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography/pull/10423
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-14T19:56:07Z/ Found at https://github.com/pyca/cryptography/pull/10423
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-14T19:56:07Z/ Found at https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-26130
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.46568
EPSS Score 0.00236
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:25:06.367488+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2024-225.yaml 37.0.0