Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-34073 (GCVE-0-2026-34073)
Vulnerability from cvelistv5 – Published: 2026-03-31 02:04 – Updated: 2026-03-31 13:52
VLAI?
EPSS
Title
cryptography has incomplete DNS name constraint enforcement on peer names
Summary
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.
Severity ?
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyca | cryptography |
Affected:
< 46.0.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T13:50:17.743455Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:52:00.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cryptography",
"vendor": "pyca",
"versions": [
{
"status": "affected",
"version": "\u003c 46.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T02:04:36.275Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"
}
],
"source": {
"advisory": "GHSA-m959-cc7f-wv43",
"discovery": "UNKNOWN"
},
"title": "cryptography has incomplete DNS name constraint enforcement on peer names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34073",
"datePublished": "2026-03-31T02:04:36.275Z",
"dateReserved": "2026-03-25T16:21:40.868Z",
"dateUpdated": "2026-03-31T13:52:00.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-34073",
"date": "2026-05-02",
"epss": "9e-05",
"percentile": "0.00975"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-34073\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-31T03:15:59.123\",\"lastModified\":\"2026-04-06T15:30:27.887\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \\\"peer name\\\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.\"},{\"lang\":\"es\",\"value\":\"cryptography es un paquete dise\u00f1ado para exponer primitivas criptogr\u00e1ficas y recetas a los desarrolladores de Python. Antes de la versi\u00f3n 46.0.6, las restricciones de nombre DNS solo se validaban contra los SANs dentro de los certificados secundarios, y no contra el \u0027nombre del par\u0027 presentado durante cada validaci\u00f3n. En consecuencia, cryptography permitir\u00eda que un par llamado bar.example.com se validara contra un certificado hoja comod\u00edn para *.example.com, incluso si el certificado padre de la hoja (o superior) conten\u00eda una restricci\u00f3n de sub\u00e1rbol excluido para bar.example.com. Este problema ha sido parcheado en la versi\u00f3n 46.0.6.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":1.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"46.0.6\",\"matchCriteriaId\":\"E26252E8-09AF-4AAC-B25D-A89A3B9F6556\"}]}]}],\"references\":[{\"url\":\"https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34073\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-31T13:50:17.743455Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-31T13:51:58.145Z\"}}], \"cna\": {\"title\": \"cryptography has incomplete DNS name constraint enforcement on peer names\", \"source\": {\"advisory\": \"GHSA-m959-cc7f-wv43\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 1.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"pyca\", \"product\": \"cryptography\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 46.0.6\"}]}], \"references\": [{\"url\": \"https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43\", \"name\": \"https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \\\"peer name\\\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295: Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-31T02:04:36.275Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-34073\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-31T13:52:00.999Z\", \"dateReserved\": \"2026-03-25T16:21:40.868Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-31T02:04:36.275Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
SUSE-SU-2026:21165-1
Vulnerability from csaf_suse - Published: 2026-04-10 11:26 - Updated: 2026-04-10 11:26Summary
Security update for python-cryptography
Severity
Important
Notes
Title of the patch: Security update for python-cryptography
Description of the patch: This update for python-cryptography fixes the following issues:
- CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. (bsc#1260876)
- CVE-2026-26007: missing validation can lead to security issues for signature verification (ECDSA) and shared key negotiation (ECDH) (bsc#1258074).
Patchnames: SUSE-SLES-16.0-522
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-cryptography",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-cryptography fixes the following issues:\n\n- CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. (bsc#1260876)\n- CVE-2026-26007: missing validation can lead to security issues for signature verification (ECDSA) and shared key negotiation (ECDH) (bsc#1258074).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-522",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21165-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21165-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621165-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21165-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025514.html"
},
{
"category": "self",
"summary": "SUSE Bug 1258074",
"url": "https://bugzilla.suse.com/1258074"
},
{
"category": "self",
"summary": "SUSE Bug 1260876",
"url": "https://bugzilla.suse.com/1260876"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-26007 page",
"url": "https://www.suse.com/security/cve/CVE-2026-26007/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34073 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34073/"
}
],
"title": "Security update for python-cryptography",
"tracking": {
"current_release_date": "2026-04-10T11:26:32Z",
"generator": {
"date": "2026-04-10T11:26:32Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21165-1",
"initial_release_date": "2026-04-10T11:26:32Z",
"revision_history": [
{
"date": "2026-04-10T11:26:32Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-cryptography-44.0.3-160000.3.1.aarch64",
"product": {
"name": "python313-cryptography-44.0.3-160000.3.1.aarch64",
"product_id": "python313-cryptography-44.0.3-160000.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-cryptography-44.0.3-160000.3.1.ppc64le",
"product": {
"name": "python313-cryptography-44.0.3-160000.3.1.ppc64le",
"product_id": "python313-cryptography-44.0.3-160000.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-cryptography-44.0.3-160000.3.1.s390x",
"product": {
"name": "python313-cryptography-44.0.3-160000.3.1.s390x",
"product_id": "python313-cryptography-44.0.3-160000.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-cryptography-44.0.3-160000.3.1.x86_64",
"product": {
"name": "python313-cryptography-44.0.3-160000.3.1.x86_64",
"product_id": "python313-cryptography-44.0.3-160000.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16.0"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.s390x"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.s390x"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-26007",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-26007"
}
],
"notes": [
{
"category": "general",
"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor \u003e 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it\u0027s easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-26007",
"url": "https://www.suse.com/security/cve/CVE-2026-26007"
},
{
"category": "external",
"summary": "SUSE Bug 1258074 for CVE-2026-26007",
"url": "https://bugzilla.suse.com/1258074"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-10T11:26:32Z",
"details": "moderate"
}
],
"title": "CVE-2026-26007"
},
{
"cve": "CVE-2026-34073",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34073"
}
],
"notes": [
{
"category": "general",
"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34073",
"url": "https://www.suse.com/security/cve/CVE-2026-34073"
},
{
"category": "external",
"summary": "SUSE Bug 1260876 for CVE-2026-34073",
"url": "https://bugzilla.suse.com/1260876"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-10T11:26:32Z",
"details": "moderate"
}
],
"title": "CVE-2026-34073"
}
]
}
SUSE-SU-2026:21021-1
Vulnerability from csaf_suse - Published: 2026-04-10 11:26 - Updated: 2026-04-10 11:26Summary
Security update for python-cryptography
Severity
Important
Notes
Title of the patch: Security update for python-cryptography
Description of the patch: This update for python-cryptography fixes the following issues:
- CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. (bsc#1260876)
- CVE-2026-26007: missing validation can lead to security issues for signature verification (ECDSA) and shared key negotiation (ECDH) (bsc#1258074).
Patchnames: SUSE-SL-Micro-6.2-522
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-cryptography",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-cryptography fixes the following issues:\n\n- CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. (bsc#1260876)\n- CVE-2026-26007: missing validation can lead to security issues for signature verification (ECDSA) and shared key negotiation (ECDH) (bsc#1258074).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-522",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21021-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21021-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621021-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21021-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045385.html"
},
{
"category": "self",
"summary": "SUSE Bug 1258074",
"url": "https://bugzilla.suse.com/1258074"
},
{
"category": "self",
"summary": "SUSE Bug 1260876",
"url": "https://bugzilla.suse.com/1260876"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-26007 page",
"url": "https://www.suse.com/security/cve/CVE-2026-26007/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34073 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34073/"
}
],
"title": "Security update for python-cryptography",
"tracking": {
"current_release_date": "2026-04-10T11:26:32Z",
"generator": {
"date": "2026-04-10T11:26:32Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21021-1",
"initial_release_date": "2026-04-10T11:26:32Z",
"revision_history": [
{
"date": "2026-04-10T11:26:32Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-cryptography-44.0.3-160000.3.1.aarch64",
"product": {
"name": "python313-cryptography-44.0.3-160000.3.1.aarch64",
"product_id": "python313-cryptography-44.0.3-160000.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-cryptography-44.0.3-160000.3.1.ppc64le",
"product": {
"name": "python313-cryptography-44.0.3-160000.3.1.ppc64le",
"product_id": "python313-cryptography-44.0.3-160000.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-cryptography-44.0.3-160000.3.1.s390x",
"product": {
"name": "python313-cryptography-44.0.3-160000.3.1.s390x",
"product_id": "python313-cryptography-44.0.3-160000.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-cryptography-44.0.3-160000.3.1.x86_64",
"product": {
"name": "python313-cryptography-44.0.3-160000.3.1.x86_64",
"product_id": "python313-cryptography-44.0.3-160000.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.aarch64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.aarch64"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.ppc64le as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.ppc64le"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.s390x as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.s390x"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-44.0.3-160000.3.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.x86_64"
},
"product_reference": "python313-cryptography-44.0.3-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-26007",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-26007"
}
],
"notes": [
{
"category": "general",
"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor \u003e 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it\u0027s easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-26007",
"url": "https://www.suse.com/security/cve/CVE-2026-26007"
},
{
"category": "external",
"summary": "SUSE Bug 1258074 for CVE-2026-26007",
"url": "https://bugzilla.suse.com/1258074"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-10T11:26:32Z",
"details": "moderate"
}
],
"title": "CVE-2026-26007"
},
{
"cve": "CVE-2026-34073",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34073"
}
],
"notes": [
{
"category": "general",
"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34073",
"url": "https://www.suse.com/security/cve/CVE-2026-34073"
},
{
"category": "external",
"summary": "SUSE Bug 1260876 for CVE-2026-34073",
"url": "https://bugzilla.suse.com/1260876"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.aarch64",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.ppc64le",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.s390x",
"SUSE Linux Micro 6.2:python313-cryptography-44.0.3-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-10T11:26:32Z",
"details": "moderate"
}
],
"title": "CVE-2026-34073"
}
]
}
SUSE-SU-2026:21126-1
Vulnerability from csaf_suse - Published: 2026-04-14 07:57 - Updated: 2026-04-14 07:57Summary
Security update for python-cryptography
Severity
Moderate
Notes
Title of the patch: Security update for python-cryptography
Description of the patch: This update for python-cryptography fixes the following issues:
- CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. (bsc#1260876)
Patchnames: SUSE-SLE-Micro-6.0-666
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-cryptography",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-cryptography fixes the following issues:\n\n- CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. (bsc#1260876)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-666",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21126-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21126-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621126-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21126-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025419.html"
},
{
"category": "self",
"summary": "SUSE Bug 1260876",
"url": "https://bugzilla.suse.com/1260876"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34073 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34073/"
}
],
"title": "Security update for python-cryptography",
"tracking": {
"current_release_date": "2026-04-14T07:57:50Z",
"generator": {
"date": "2026-04-14T07:57:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21126-1",
"initial_release_date": "2026-04-14T07:57:50Z",
"revision_history": [
{
"date": "2026-04-14T07:57:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-42.0.4-4.1.aarch64",
"product": {
"name": "python311-cryptography-42.0.4-4.1.aarch64",
"product_id": "python311-cryptography-42.0.4-4.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-42.0.4-4.1.s390x",
"product": {
"name": "python311-cryptography-42.0.4-4.1.s390x",
"product_id": "python311-cryptography-42.0.4-4.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-42.0.4-4.1.x86_64",
"product": {
"name": "python311-cryptography-42.0.4-4.1.x86_64",
"product_id": "python311-cryptography-42.0.4-4.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-42.0.4-4.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.aarch64"
},
"product_reference": "python311-cryptography-42.0.4-4.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-42.0.4-4.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.s390x"
},
"product_reference": "python311-cryptography-42.0.4-4.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-42.0.4-4.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.x86_64"
},
"product_reference": "python311-cryptography-42.0.4-4.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34073",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34073"
}
],
"notes": [
{
"category": "general",
"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.aarch64",
"SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.s390x",
"SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34073",
"url": "https://www.suse.com/security/cve/CVE-2026-34073"
},
{
"category": "external",
"summary": "SUSE Bug 1260876 for CVE-2026-34073",
"url": "https://bugzilla.suse.com/1260876"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.aarch64",
"SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.s390x",
"SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.aarch64",
"SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.s390x",
"SUSE Linux Micro 6.0:python311-cryptography-42.0.4-4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-14T07:57:50Z",
"details": "moderate"
}
],
"title": "CVE-2026-34073"
}
]
}
SUSE-SU-2026:21116-1
Vulnerability from csaf_suse - Published: 2026-04-14 08:30 - Updated: 2026-04-14 08:30Summary
Security update for python-cryptography
Severity
Moderate
Notes
Title of the patch: Security update for python-cryptography
Description of the patch: This update for python-cryptography fixes the following issues:
- CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. (bsc#1260876)
Patchnames: SUSE-SLE-Micro-6.1-484
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-cryptography",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-cryptography fixes the following issues:\n\n- CVE-2026-34073: Fixed X.509 bypass of name constraints on wildcard SANs with matching peer names. (bsc#1260876)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.1-484",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21116-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21116-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621116-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21116-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025427.html"
},
{
"category": "self",
"summary": "SUSE Bug 1260876",
"url": "https://bugzilla.suse.com/1260876"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34073 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34073/"
}
],
"title": "Security update for python-cryptography",
"tracking": {
"current_release_date": "2026-04-14T08:30:04Z",
"generator": {
"date": "2026-04-14T08:30:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21116-1",
"initial_release_date": "2026-04-14T08:30:04Z",
"revision_history": [
{
"date": "2026-04-14T08:30:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.aarch64",
"product": {
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.aarch64",
"product_id": "python311-cryptography-42.0.4-slfo.1.1_4.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.ppc64le",
"product": {
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.ppc64le",
"product_id": "python311-cryptography-42.0.4-slfo.1.1_4.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.s390x",
"product": {
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.s390x",
"product_id": "python311-cryptography-42.0.4-slfo.1.1_4.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.x86_64",
"product": {
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.x86_64",
"product_id": "python311-cryptography-42.0.4-slfo.1.1_4.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.1",
"product": {
"name": "SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.aarch64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.aarch64"
},
"product_reference": "python311-cryptography-42.0.4-slfo.1.1_4.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.ppc64le as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.ppc64le"
},
"product_reference": "python311-cryptography-42.0.4-slfo.1.1_4.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.s390x as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.s390x"
},
"product_reference": "python311-cryptography-42.0.4-slfo.1.1_4.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-42.0.4-slfo.1.1_4.1.x86_64 as component of SUSE Linux Micro 6.1",
"product_id": "SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.x86_64"
},
"product_reference": "python311-cryptography-42.0.4-slfo.1.1_4.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34073",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34073"
}
],
"notes": [
{
"category": "general",
"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.aarch64",
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.ppc64le",
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.s390x",
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34073",
"url": "https://www.suse.com/security/cve/CVE-2026-34073"
},
{
"category": "external",
"summary": "SUSE Bug 1260876 for CVE-2026-34073",
"url": "https://bugzilla.suse.com/1260876"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.aarch64",
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.ppc64le",
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.s390x",
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.aarch64",
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.ppc64le",
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.s390x",
"SUSE Linux Micro 6.1:python311-cryptography-42.0.4-slfo.1.1_4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-14T08:30:04Z",
"details": "moderate"
}
],
"title": "CVE-2026-34073"
}
]
}
MSRC_CVE-2026-34073
Vulnerability from csaf_microsoft - Published: 2026-03-02 00:00 - Updated: 2026-04-30 01:48Summary
cryptography has incomplete DNS name constraint enforcement on peer names
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
CWE-295
- Improper Certificate Validation
None Available
There is no fix available for this vulnerability as of now
References
| URL | Category | |
|---|---|---|
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-34073 cryptography has incomplete DNS name constraint enforcement on peer names - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-34073.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "cryptography has incomplete DNS name constraint enforcement on peer names",
"tracking": {
"current_release_date": "2026-04-30T01:48:15.000Z",
"generator": {
"date": "2026-04-30T07:46:09.277Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-34073",
"initial_release_date": "2026-03-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-04-03T01:01:25.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-04-30T01:48:15.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "azl3 python-cryptography 0:42.0.5-4.azl3",
"product": {
"name": "azl3 python-cryptography 0:42.0.5-4.azl3",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "python-cryptography"
},
{
"category": "product_name",
"name": "cbl2 python-cryptography 0:3.3.2-7.cbl2",
"product": {
"name": "cbl2 python-cryptography 0:3.3.2-7.cbl2",
"product_id": "2"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 python-cryptography 0:42.0.5-4.azl3 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 python-cryptography 0:3.3.2-7.cbl2 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34073",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17086-2"
]
}
],
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"known_affected": [
"17084-1"
],
"known_not_affected": [
"17086-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-34073 cryptography has incomplete DNS name constraint enforcement on peer names - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-34073.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2026-04-03T01:01:25.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17084-1"
]
}
],
"title": "cryptography has incomplete DNS name constraint enforcement on peer names"
}
]
}
OPENSUSE-SU-2026:10454-1
Vulnerability from csaf_opensuse - Published: 2026-03-28 00:00 - Updated: 2026-03-28 00:00Summary
python311-cryptography-46.0.6-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: python311-cryptography-46.0.6-1.1 on GA media
Description of the patch: These are all security issues fixed in the python311-cryptography-46.0.6-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10454
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-cryptography-46.0.6-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-cryptography-46.0.6-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10454",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10454-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-34073 page",
"url": "https://www.suse.com/security/cve/CVE-2026-34073/"
}
],
"title": "python311-cryptography-46.0.6-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-28T00:00:00Z",
"generator": {
"date": "2026-03-28T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10454-1",
"initial_release_date": "2026-03-28T00:00:00Z",
"revision_history": [
{
"date": "2026-03-28T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-46.0.6-1.1.aarch64",
"product": {
"name": "python311-cryptography-46.0.6-1.1.aarch64",
"product_id": "python311-cryptography-46.0.6-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-cryptography-46.0.6-1.1.aarch64",
"product": {
"name": "python313-cryptography-46.0.6-1.1.aarch64",
"product_id": "python313-cryptography-46.0.6-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-46.0.6-1.1.ppc64le",
"product": {
"name": "python311-cryptography-46.0.6-1.1.ppc64le",
"product_id": "python311-cryptography-46.0.6-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-cryptography-46.0.6-1.1.ppc64le",
"product": {
"name": "python313-cryptography-46.0.6-1.1.ppc64le",
"product_id": "python313-cryptography-46.0.6-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-46.0.6-1.1.s390x",
"product": {
"name": "python311-cryptography-46.0.6-1.1.s390x",
"product_id": "python311-cryptography-46.0.6-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-cryptography-46.0.6-1.1.s390x",
"product": {
"name": "python313-cryptography-46.0.6-1.1.s390x",
"product_id": "python313-cryptography-46.0.6-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-cryptography-46.0.6-1.1.x86_64",
"product": {
"name": "python311-cryptography-46.0.6-1.1.x86_64",
"product_id": "python311-cryptography-46.0.6-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-cryptography-46.0.6-1.1.x86_64",
"product": {
"name": "python313-cryptography-46.0.6-1.1.x86_64",
"product_id": "python313-cryptography-46.0.6-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-46.0.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.aarch64"
},
"product_reference": "python311-cryptography-46.0.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-46.0.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.ppc64le"
},
"product_reference": "python311-cryptography-46.0.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-46.0.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.s390x"
},
"product_reference": "python311-cryptography-46.0.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-cryptography-46.0.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.x86_64"
},
"product_reference": "python311-cryptography-46.0.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-46.0.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.aarch64"
},
"product_reference": "python313-cryptography-46.0.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-46.0.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.ppc64le"
},
"product_reference": "python313-cryptography-46.0.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-46.0.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.s390x"
},
"product_reference": "python313-cryptography-46.0.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-cryptography-46.0.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.x86_64"
},
"product_reference": "python313-cryptography-46.0.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-34073",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-34073"
}
],
"notes": [
{
"category": "general",
"text": "unknown",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.aarch64",
"openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.ppc64le",
"openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.s390x",
"openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.x86_64",
"openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.aarch64",
"openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.ppc64le",
"openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.s390x",
"openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-34073",
"url": "https://www.suse.com/security/cve/CVE-2026-34073"
},
{
"category": "external",
"summary": "SUSE Bug 1260876 for CVE-2026-34073",
"url": "https://bugzilla.suse.com/1260876"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.aarch64",
"openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.ppc64le",
"openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.s390x",
"openSUSE Tumbleweed:python311-cryptography-46.0.6-1.1.x86_64",
"openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.aarch64",
"openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.ppc64le",
"openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.s390x",
"openSUSE Tumbleweed:python313-cryptography-46.0.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-28T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-34073"
}
]
}
GHSA-M959-CC7F-WV43
Vulnerability from github – Published: 2026-03-27 19:56 – Updated: 2026-04-06 23:13
VLAI?
Summary
cryptography has incomplete DNS name constraint enforcement on peer names
Details
Summary
In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.
This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.
In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.
See CVE-2025-61727 for a similar bypass in Go's crypto/x509.
Remediation
Users should upgrade to 46.0.6 or newer.
Attribution
Reporter: @1seal
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "cryptography"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "46.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34073"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T19:56:21Z",
"nvd_published_at": "2026-03-31T03:15:59Z",
"severity": "LOW"
},
"details": "## Summary\n\nIn versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.\n\nThis behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.\n\nIn practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.\n\nSee CVE-2025-61727 for a similar bypass in Go\u0027s `crypto/x509`.\n\n## Remediation\n\nUsers should upgrade to 46.0.6 or newer. \n\n## Attribution\n\nReporter: @1seal",
"id": "GHSA-m959-cc7f-wv43",
"modified": "2026-04-06T23:13:00Z",
"published": "2026-03-27T19:56:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34073"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyca/cryptography"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "cryptography has incomplete DNS name constraint enforcement on peer names"
}
FKIE_CVE-2026-34073
Vulnerability from fkie_nvd - Published: 2026-03-31 03:15 - Updated: 2026-04-06 15:30
Severity ?
Summary
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cryptography.io | cryptography | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:*",
"matchCriteriaId": "E26252E8-09AF-4AAC-B25D-A89A3B9F6556",
"versionEndExcluding": "46.0.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6."
},
{
"lang": "es",
"value": "cryptography es un paquete dise\u00f1ado para exponer primitivas criptogr\u00e1ficas y recetas a los desarrolladores de Python. Antes de la versi\u00f3n 46.0.6, las restricciones de nombre DNS solo se validaban contra los SANs dentro de los certificados secundarios, y no contra el \u0027nombre del par\u0027 presentado durante cada validaci\u00f3n. En consecuencia, cryptography permitir\u00eda que un par llamado bar.example.com se validara contra un certificado hoja comod\u00edn para *.example.com, incluso si el certificado padre de la hoja (o superior) conten\u00eda una restricci\u00f3n de sub\u00e1rbol excluido para bar.example.com. Este problema ha sido parcheado en la versi\u00f3n 46.0.6."
}
],
"id": "CVE-2026-34073",
"lastModified": "2026-04-06T15:30:27.887",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.7,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-31T03:15:59.123",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
RHSA-2026:7295
Vulnerability from csaf_redhat - Published: 2026-04-09 11:17 - Updated: 2026-04-30 16:32Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A validation flaw has been discovered in the python cryptography package. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this.
7.4 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7295
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in the `cryptography` library. This vulnerability occurs because DNS (Domain Name System) name constraints were not properly validated against the "peer name" during certificate validation, only against Subject Alternative Names (SANs) within child certificates. This oversight could allow a malicious actor to bypass security restrictions, enabling a certificate for a specific domain to be validated against a broader wildcard certificate, even when an exclusion for that specific domain exists. This could lead to an attacker impersonating a legitimate server or service.
CWE-295 - Improper Certificate Validation
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7295
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in the cryptography library. This vulnerability occurs when a non-contiguous buffer is passed to certain application programming interfaces (APIs) that accept Python buffers, such as Hash.update(). A remote attacker could exploit this to cause a buffer overflow, potentially leading to a denial of service.
5.3 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:7295
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:7295",
"url": "https://access.redhat.com/errata/RHSA-2026:7295"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-26007",
"url": "https://access.redhat.com/security/cve/CVE-2026-26007"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-39892",
"url": "https://access.redhat.com/security/cve/CVE-2026-39892"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-34073",
"url": "https://access.redhat.com/security/cve/CVE-2026-34073"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7295.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-30T16:32:48+00:00",
"generator": {
"date": "2026-04-30T16:32:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2026:7295",
"initial_release_date": "2026-04-09T11:17:29+00:00",
"revision_history": [
{
"date": "2026-04-09T11:17:29+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-18T19:57:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T16:32:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "python-cryptography-main@src",
"product": {
"name": "python-cryptography-main@src",
"product_id": "python-cryptography-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-cryptography@46.0.7-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python-cryptography-main@aarch64",
"product": {
"name": "python-cryptography-main@aarch64",
"product_id": "python-cryptography-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-cryptography@46.0.7-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python-cryptography-main@x86_64",
"product": {
"name": "python-cryptography-main@x86_64",
"product_id": "python-cryptography-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-cryptography@46.0.7-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-cryptography-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:python-cryptography-main@aarch64"
},
"product_reference": "python-cryptography-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-cryptography-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:python-cryptography-main@src"
},
"product_reference": "python-cryptography-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-cryptography-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:python-cryptography-main@x86_64"
},
"product_reference": "python-cryptography-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-26007",
"cwe": {
"id": "CWE-354",
"name": "Improper Validation of Integrity Check Value"
},
"discovery_date": "2026-02-10T22:01:01.036116+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2438762"
}
],
"notes": [
{
"category": "description",
"text": "A validation flaw has been discovered in the python cryptography package. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor \u003e 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it\u0027s easy to forge signatures on the small subgroup. Only SECT curves are impacted by this.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw, while difficult to exploit, would lead to a loss of integrity in the encrypted communication channel. Given that the cryptography package is a library, it is likely to be used in situations that do not require user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:python-cryptography-main@src"
],
"known_not_affected": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-26007"
},
{
"category": "external",
"summary": "RHBZ#2438762",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438762"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-26007",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26007"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-26007",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26007"
},
{
"category": "external",
"summary": "https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c",
"url": "https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c"
},
{
"category": "external",
"summary": "https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2",
"url": "https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2"
}
],
"release_date": "2026-02-10T21:42:56.471000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-09T11:17:29+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:python-cryptography-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7295"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@src",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@src",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves"
},
{
"cve": "CVE-2026-34073",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2026-03-31T03:01:24.693240+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2453276"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the `cryptography` library. This vulnerability occurs because DNS (Domain Name System) name constraints were not properly validated against the \"peer name\" during certificate validation, only against Subject Alternative Names (SANs) within child certificates. This oversight could allow a malicious actor to bypass security restrictions, enabling a certificate for a specific domain to be validated against a broader wildcard certificate, even when an exclusion for that specific domain exists. This could lead to an attacker impersonating a legitimate server or service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-cryptography: Cryptography: Security bypass due to improper DNS name constraint validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat products and services do not employ certificate chains of the form required for this vulnerability. A Red Hat customer may construct such a certificate chain, however these would be non-default configurations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:python-cryptography-main@src"
],
"known_not_affected": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-34073"
},
{
"category": "external",
"summary": "RHBZ#2453276",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453276"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-34073",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34073"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-34073",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34073"
},
{
"category": "external",
"summary": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43",
"url": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"
}
],
"release_date": "2026-03-31T02:04:36.275000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-09T11:17:29+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:python-cryptography-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7295"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@src",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@src",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "python-cryptography: Cryptography: Security bypass due to improper DNS name constraint validation"
},
{
"cve": "CVE-2026-39892",
"cwe": {
"id": "CWE-131",
"name": "Incorrect Calculation of Buffer Size"
},
"discovery_date": "2026-04-08T22:00:59.416053+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2456735"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the cryptography library. This vulnerability occurs when a non-contiguous buffer is passed to certain application programming interfaces (APIs) that accept Python buffers, such as Hash.update(). A remote attacker could exploit this to cause a buffer overflow, potentially leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cryptography: Cryptography: Buffer overflow via non-contiguous buffer in API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:python-cryptography-main@src"
],
"known_not_affected": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-39892"
},
{
"category": "external",
"summary": "RHBZ#2456735",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456735"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-39892",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39892"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-39892",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39892"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2026/04/08/12",
"url": "http://www.openwall.com/lists/oss-security/2026/04/08/12"
},
{
"category": "external",
"summary": "https://github.com/pyca/cryptography/commit/622d672e429a7cff836a23c5903683dbec1901f5",
"url": "https://github.com/pyca/cryptography/commit/622d672e429a7cff836a23c5903683dbec1901f5"
},
{
"category": "external",
"summary": "https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq",
"url": "https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq"
}
],
"release_date": "2026-04-08T20:49:41.967000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-09T11:17:29+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:python-cryptography-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:7295"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@src",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:python-cryptography-main@aarch64",
"Red Hat Hardened Images:python-cryptography-main@src",
"Red Hat Hardened Images:python-cryptography-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cryptography: Cryptography: Buffer overflow via non-contiguous buffer in API"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…