Vulnerability Details CVE-2026-39892
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 17.3%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-39892
-
cpe:2.3:a:cryptography.io:cryptography:45.0.0
-
cpe:2.3:a:cryptography.io:cryptography:45.0.1
-
cpe:2.3:a:cryptography.io:cryptography:45.0.2
-
cpe:2.3:a:cryptography.io:cryptography:45.0.3
-
cpe:2.3:a:cryptography.io:cryptography:45.0.4
-
cpe:2.3:a:cryptography.io:cryptography:45.0.5
-
cpe:2.3:a:cryptography.io:cryptography:45.0.6
-
cpe:2.3:a:cryptography.io:cryptography:45.0.7
-
cpe:2.3:a:cryptography.io:cryptography:46.0.0
-
cpe:2.3:a:cryptography.io:cryptography:46.0.1
-
cpe:2.3:a:cryptography.io:cryptography:46.0.2
-
cpe:2.3:a:cryptography.io:cryptography:46.0.3
-
cpe:2.3:a:cryptography.io:cryptography:46.0.4
-
cpe:2.3:a:cryptography.io:cryptography:46.0.5