CVE-2026-33936 — Improper Input Validation in Python-ecdsa
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 71.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 27
Description
The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the ava…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4
Affected Packages4 packages
Patches
🔴Vulnerability Details
4GHSA▶
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys↗2026-03-27
CVEList▶
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys↗2026-03-27
OSV▶
CVE-2026-33936: The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature↗2026-03-27
OSV▶
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys↗2026-03-27