CVE-2024-26130
Severity
7.5HIGH
EPSS
0.4%
top 37.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 21
Latest updateJan 15
Description
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been res…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages5 packages
Patches
🔴Vulnerability Details
6OSV▶
CVE-2024-26130: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers↗2024-02-21
OSV▶
cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override↗2024-02-21
GHSA▶
cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override↗2024-02-21
📋Vendor Advisories
8Oracle▶
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Cryptography) — CVE-2024-26130↗2024-04-15