Fluid Attacks Database

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	cryptography	>=45.0.0 <46.0.7	46.0.7
rpm rhel9	fence-agents	-	-
alpine v3.23	py3-cryptography	=0.6.1-r0 \|\| =0.8.2-r0 \|\| =1.0.2-r0 \|\| =1.3.1-r0 \|\| =1.3.2-r0 \|\| =1.4-r0 \|\| =1.4-r1 \|\| =1.4-r2 \|\| =1.5.2-r0 \|\| =1.5.2-r1 \|\| =1.5.3-r0 \|\| =1.7.2-r0 \|\| =1.7.2-r1 \|\| =1.8.1-r0 \|\| =1.8.1-r1 \|\| =1.9-r0 \|\| =2.0.2-r0 \|\| =2.0.3-r0 \|\| =2.0.3-r1 \|\| =2.1.3-r0 \|\| =2.1.4-r0 \|\| =2.1.4-r1 \|\| =2.2.2-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.4.2-r0 \|\| =2.4.2-r1 \|\| =2.4.2-r2 \|\| =2.5-r0 \|\| =2.6.1-r0 \|\| =2.6.1-r1 \|\| =2.7-r0 \|\| =2.7-r1 \|\| =2.8-r0 \|\| =2.8-r1 \|\| =2.9-r0 \|\| =2.9.2-r0 \|\| =3.2.1-r0 \|\| =3.3-r0 \|\| =3.3.1-r0 \|\| =3.3.2-r0 \|\| =3.3.2-r1 \|\| =3.3.2-r2 \|\| =3.3.2-r3 \|\| =3.3.2-r4 \|\| =3.4.8-r0 \|\| =3.4.8-r1 \|\| =37.0.4-r0 \|\| =37.0.4-r1 \|\| =37.0.4-r2 \|\| =38.0.1-r0 \|\| =38.0.2-r0 \|\| =38.0.3-r0 \|\| =38.0.3-r1 \|\| =38.0.4-r0 \|\| =39.0.0-r0 \|\| =39.0.1-r0 \|\| =39.0.2-r0 \|\| =40.0.0-r0 \|\| =40.0.1-r0 \|\| =40.0.2-r0 \|\| =40.0.2-r1 \|\| =41.0.0-r0 \|\| =41.0.1-r0 \|\| =41.0.2-r0 \|\| =41.0.2-r1 \|\| =41.0.2-r2 \|\| =41.0.3-r0 \|\| =41.0.4-r0 \|\| =41.0.5-r0 \|\| =41.0.7-r0 \|\| =42.0.5-r0 \|\| =42.0.5-r1 \|\| =42.0.7-r0 \|\| =42.0.8-r0 \|\| =43.0.0-r0 \|\| =43.0.1-r0 \|\| =43.0.3-r0 \|\| =44.0.0-r0 \|\| =44.0.1-r0 \|\| =44.0.2-r0 \|\| =44.0.3-r0 \|\| =46.0.2-r0 \|\| =46.0.3-r0 \|\| =46.0.5-r0 \|\| >=0 <46.0.7-r0	46.0.7-r0
rpm rhel8	fence-agents	-	-
debian 14	python-cryptography	=43.0.0-3 \|\| =44.0.2-1 \|\| =44.0.2-2 \|\| =45.0.6-1 \|\| =45.0.6-1~exp1 \|\| =45.0.7-1 \|\| =46.0.1-1 \|\| =46.0.1-1~exp1 \|\| =46.0.5-1 \|\| =46.0.5-2 \|\| =46.0.6-1 \|\| >=0 <46.0.7-1	46.0.7-1

Aliases

1. CVE-2026-398922. NVD-2026-398923. OSV-2026-398924. OSV-ALPINE-2026-398925. OSV-DEBIAN-2026-398926. GHSA-p423-j2cm-9vmq7. GCVE-2026-398928. SECURITY-CVE-2026-398929. SECURITY-TRACKER-CVE-2026-39892

References

1. https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq2. https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2026-36.yaml3. http://www.openwall.com/lists/oss-security/2026/04/08/12

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.