CVE-2026-26007

CWE-345CWE-35410 documents9 sources
Severity
8.2HIGH
EPSS
0.0%
top 99.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pyca CryptographyCryptography.io Cryptography
Timeline
PublishedFeb 10
Latest updateMar 12

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

Debianpython-cryptography< 43.0.0-3+deb13u1+1
PyPIcryptography< 46.0.5
CVEListV5pyca/cryptography< 46.0.5

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves2026-02-10
GHSA
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves2026-02-10
CVEList
cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves2026-02-10
OSV
CVE-2026-26007: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers2026-02-10

📋Vendor Advisories

3
Ubuntu
python-cryptography vulnerability2026-03-12
Red Hat
cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves2026-02-10
Debian
CVE-2026-26007: python-cryptography - cryptography is a package designed to expose cryptographic primitives and recipe...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-26007 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-26007 cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves2026-02-10