CVE-2026-32877 — Out-of-bounds Read in Project Botan

CWE-125 — Out-of-bounds Read CWE-1284 — Improper Validation of Specified Quantity in Input13 documents6 sources

Severity

8.2HIGHNVD

EPSS

0.1%

top 82.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Botan Project Botan Debian Botan Debian Botan3 +1 more

Timeline

PublishedMar 30

Latest updateApr 1

Description

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages4 packages

▶debiandebian/botan< botan3 3.11.0+dfsg-2 (sid)

▶debiandebian/botan3< botan3 3.11.0+dfsg-2 (sid)

▶NVDbotan_project/botan2.3.0 — 3.11.0

▶CVEListV5randombit/botan>= 2.3.0, < 3.11.0

🔴Vulnerability Details

OSV

CVE-2026-32877: Botan is a C++ cryptography library↗2026-03-30

▶

📋Vendor Advisories

Red Hat

Botan: Botan: Denial of Service via heap over-read during SM2 decryption↗2026-03-30

▶

Debian

CVE-2026-32877: botan - Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-34582 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-32884 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-32877 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34580 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-32883 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-32877 botan2: Botan: Denial of Service via heap over-read during SM2 decryption [fedora-43]↗2026-04-01

▶

Bugzilla

CVE-2026-32877 botan3: Botan: Denial of Service via heap over-read during SM2 decryption [epel-all]↗2026-04-01

▶

Bugzilla

CVE-2026-32877 botan2: Botan: Denial of Service via heap over-read during SM2 decryption [epel-all]↗2026-04-01

▶

Bugzilla

CVE-2026-32877 botan2: Botan: Denial of Service via heap over-read during SM2 decryption [fedora-42]↗2026-04-01

▶