Fluid Attacks Database

Description

cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override If pkcs12.serialize_key_and_certificates is called with both:

A certificate whose public key did not match the provided private key

An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)

Then a NULL pointer dereference would occur, crashing the Python process.

This has been resolved, and now a ValueError is properly raised.

Patched in https://github.com/pyca/cryptography/pull/10423

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	cryptography	>=38.0.0 <42.0.4	42.0.4
debian 12	python-cryptography	=38.0.4-3 \|\| >=0 <38.0.4-3+deb12u1	38.0.4-3+deb12u1
debian 13	python-cryptography	>=0 <42.0.5-1	42.0.5-1
debian 14	python-cryptography	>=0 <42.0.5-1	42.0.5-1
rpm rhel9	python3.12-cryptography	<0:41.0.7-2.el9_6.1	0:41.0.7-2.el9_6.1

Aliases

1. CVE-2024-261302. NVD-2024-261303. OSV-2024-261304. OSV-DEBIAN-2024-261305. GHSA-6vqw-3v5j-54x46. GCVE-2024-261307. SECURITY-TRACKER-CVE-2024-26130

References

1. https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x42. https://github.com/pyca/cryptography/pull/104233. https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e554. https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml