CVE-2026-44378
Published: 27 May 2026
Summary
CVE-2026-44378 is a medium-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Botan Project Botan. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-32582
Vulnerability details
Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which…
more
are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes algorithmic complexity (quadratic parsing) in BER/DER handling leading to DoS via crafted input, directly enabling T1499.004 Application or System Exploitation.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Addresses inefficient algorithms whose complexity can be exploited for DoS.