Cyber Resilience

CVE-2026-39892

MediumUpdated

Published: 08 April 2026

Published
08 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 40.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-39892 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Cryptography.Io Cryptography. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39892 is a buffer overflow vulnerability (CWE-119) in the cryptography Python package, which exposes cryptographic primitives and recipes to Python developers. The flaw affects versions from 45.0.0 up to but not including 46.0.7, where passing a non-contiguous buffer to APIs accepting Python buffers, such as Hash.update(), can trigger buffer overflows.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by any unauthenticated attacker with low attack complexity and no user interaction. Exploitation could lead to high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or system crashes via the buffer overflow.

The issue is addressed in cryptography version 46.0.7. Additional mitigation details are available in the GitHub security advisory at https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq and the oss-security mailing list post at http://www.openwall.com/lists/oss-security/2026/04/08/12.

EU & UK References

Vulnerability details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This…

more

vulnerability is fixed in 46.0.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated buffer overflow in cryptography Python library enables arbitrary code execution, directly facilitating exploitation of public-facing applications using the vulnerable buffer-accepting APIs like Hash.update().

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14572Shared CWE-119
CVE-2025-33077Shared CWE-119
CVE-2025-30437Shared CWE-119
CVE-2022-38693Shared CWE-119
CVE-2026-4149Shared CWE-119
CVE-2025-7775Shared CWE-119
CVE-2025-33076Shared CWE-119
CVE-2026-6775Shared CWE-119
CVE-2025-7776Shared CWE-119
CVE-2025-9246Shared CWE-119

Affected Assets

cryptography.io
cryptography
45.0.0 — 46.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mandates timely flaw remediation by patching the buffer overflow vulnerability in cryptography versions 45.0.0 to before 46.0.7.

prevent

Provides defense-in-depth against buffer overflow exploitation through memory protections like ASLR, DEP, and stack canaries.

detect

Enables identification of vulnerable cryptography library installations via vulnerability scanning and monitoring.

References