Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN367
_____________________________________________________________________

DATE                : 09/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running cryptography (pip) versions prior
                               to 46.0.7.

=====================================================================
https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq
_____________________________________________________________________


Buffer overflow if non-contiguous buffers were passed to APIs
Moderate
alex published GHSA-p423-j2cm-9vmq Apr 8, 2026

Package
cryptography (pip)

Affected versions
>=45.0.0

Patched versions
>=46.0.7


Description

If a non-contiguous buffer was passed to APIs which accepted Python
buffers (e.g. Hash.update()), this could lead to buffer overflows.
For example:

h = Hash(SHA256())
b.update(buf[::-1])

would read past the end of the buffer on Python >3.11


Severity
Moderate

CVE ID
CVE-2026-39892

Weaknesses
No CWEs



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================