Cyber Resilience

CVE-2026-27459

HighUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 39.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27459 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Pyopenssl Pyopenssl. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27459 is a buffer overflow vulnerability (CWE-120) affecting pyOpenSSL, a Python wrapper around the OpenSSL library. The flaw impacts versions starting from 22.0.0 up to but not including 26.0.0. It arises when a user-provided callback function, set via the `set_cookie_generate_callback` method, returns a cookie value greater than 256 bytes, causing an overflow in an OpenSSL-provided buffer.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation could lead to high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or denial of service, depending on the attacker's control over the callback and the application's context.

Mitigation is available in pyOpenSSL version 26.0.0 and later, where cookie values exceeding the length limit are rejected outright. Additional details are provided in the project's security advisory (https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4), the fixing commit (https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408), and the changelog (https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst).

EU & UK References

Vulnerability details

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer.…

more

Starting in version 26.0.0, cookie values that are too long are now rejected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in network-reachable pyOpenSSL library (AV:N, unauthenticated) directly enables remote code execution against applications exposing the vulnerable callback path, mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70314Shared CWE-120
CVE-2026-38426Shared CWE-120
CVE-2025-29329Shared CWE-120
CVE-2025-25567Shared CWE-120
CVE-2025-60553Shared CWE-120
CVE-2025-26005Shared CWE-120
CVE-2024-57482Shared CWE-120
CVE-2025-27836Shared CWE-120
CVE-2025-29137Shared CWE-120
CVE-2026-25994Shared CWE-120

Affected Assets

pyopenssl
pyopenssl
22.0.0 — 26.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identifying, prioritizing, and applying patches for known flaws like the buffer overflow in pyOpenSSL versions prior to 26.0.0.

prevent

Requires validation of inputs such as cookie values from user-provided callbacks to ensure they do not exceed 256 bytes, preventing the buffer overflow as implemented in the fixed version.

prevent

Provides memory protections like stack guards and non-executable memory to mitigate exploitation of buffer overflows even if invalid long cookies are processed.

References