CVE-2026-3446 — Insufficient Verification of Data Authenticity in Software Foundation Cpython

CWE-345 — Insufficient Verification of Data Authenticity CWE-1286 — Improper Validation of Syntactic Correctness of Input7 documents7 sources

Severity

6.0MEDIUMNVD

EPSS

0.0%

top 93.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedApr 10

Description

When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython3.14.0 — 3.14.4+2

🔴Vulnerability Details

GHSA

GHSA-8r9f-h969-mm4m: When calling base64↗2026-04-10

▶

VulDB

Python CPython up to 3.13.12/3.14.3/3.15.0a7 b64decode↗2026-04-10

▶

CVEList

Base64 decoding stops at first padded quad by default↗2026-04-10

▶

📋Vendor Advisories

Red Hat

python: Python base64: Incomplete data decoding due to premature stop at padding↗2026-04-10

▶

💬Community

Bugzilla

CVE-2026-3446 python: Python base64: Incomplete data decoding due to premature stop at padding↗2026-04-10

▶