Moderate severityNVD Advisory· Published Feb 7, 2023· Updated Nov 3, 2025

Cipher.update_into can corrupt memory in pyca cryptography

CVE-2023-23931

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cryptography library's `Cipher.update_into` allowed mutation of immutable buffers (e.g., bytes), violating Python rules and causing corrupted output.

Vulnerability

CVE-2023-23931 affects the cryptography Python library, specifically the Cipher.update_into method. The method incorrectly accepted Python objects that implement the buffer protocol but provide only immutable buffers, such as bytes. This allowed the method to mutate these immutable objects, violating Python's fundamental rules and leading to corrupted cryptographic output. The issue has existed since update_into was introduced in cryptography 1.8 [1][2].

Exploitation

An attacker could exploit this vulnerability by providing an immutable buffer (e.g., a bytes object) to update_into. No special authentication or network position is required; any code path that passes untrusted data to this method could trigger the behavior. The vulnerability is local to the application using the library [1][3].

Impact

Successful exploitation results in the mutation of immutable objects, which can cause corrupted ciphertext or plaintext output. This may lead to data integrity issues, incorrect cryptographic operations, and potential memory corruption in Python due to violation of buffer semantics [1][4].

Mitigation

The fix was released in cryptography version 39.0.1, which properly raises an exception when an immutable buffer is passed to update_into. Users should upgrade to 39.0.1 or later. No workaround is available [3][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cryptographyPyPI	>= 1.8, < 39.0.1	39.0.1

Affected products

140

osv-coords139 versions
pkg:apk/chainguard/mitmproxy pkg:apk/wolfi/mitmproxy pkg:pypi/cryptography pkg:rpm/almalinux/python39 pkg:rpm/almalinux/python39-attrs pkg:rpm/almalinux/python39-cffi pkg:rpm/almalinux/python39-chardet pkg:rpm/almalinux/python39-cryptography pkg:rpm/almalinux/python39-Cython pkg:rpm/almalinux/python39-debug pkg:rpm/almalinux/python39-devel pkg:rpm/almalinux/python39-idle pkg:rpm/almalinux/python39-idna pkg:rpm/almalinux/python39-iniconfig pkg:rpm/almalinux/python39-libs pkg:rpm/almalinux/python39-lxml pkg:rpm/almalinux/python39-mod_wsgi pkg:rpm/almalinux/python39-more-itertools pkg:rpm/almalinux/python39-numpy pkg:rpm/almalinux/python39-numpy-doc pkg:rpm/almalinux/python39-numpy-f2py pkg:rpm/almalinux/python39-packaging pkg:rpm/almalinux/python39-pip pkg:rpm/almalinux/python39-pip-wheel pkg:rpm/almalinux/python39-pluggy pkg:rpm/almalinux/python39-ply pkg:rpm/almalinux/python39-psutil pkg:rpm/almalinux/python39-psycopg2 pkg:rpm/almalinux/python39-psycopg2-doc pkg:rpm/almalinux/python39-psycopg2-tests pkg:rpm/almalinux/python39-py pkg:rpm/almalinux/python39-pybind11 pkg:rpm/almalinux/python39-pybind11-devel pkg:rpm/almalinux/python39-pycparser pkg:rpm/almalinux/python39-PyMySQL pkg:rpm/almalinux/python39-pyparsing pkg:rpm/almalinux/python39-pysocks pkg:rpm/almalinux/python39-pytest pkg:rpm/almalinux/python39-pyyaml pkg:rpm/almalinux/python39-requests pkg:rpm/almalinux/python39-rpm-macros pkg:rpm/almalinux/python39-scipy pkg:rpm/almalinux/python39-setuptools pkg:rpm/almalinux/python39-setuptools-wheel pkg:rpm/almalinux/python39-six pkg:rpm/almalinux/python39-test pkg:rpm/almalinux/python39-tkinter pkg:rpm/almalinux/python39-toml pkg:rpm/almalinux/python39-urllib3 pkg:rpm/almalinux/python39-wcwidth pkg:rpm/almalinux/python39-wheel pkg:rpm/almalinux/python39-wheel-wheel pkg:rpm/almalinux/python3-cryptography pkg:rpm/opensuse/python-cryptography&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/python-cryptography&distro=openSUSE%20Leap%20Micro%205.3 pkg:rpm/suse/python-cffi&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-cffi&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/python-cffi&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/python-cffi&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-cffi&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-cffi&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-cffi&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-cryptography&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Micro%205.1 pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Micro%205.2 pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Micro%205.3 pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Micro%205.4 pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3 pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/python-cryptography&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-cryptography&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-cryptography&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-cryptography&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208
< 12.2.1-r0+ 138 more
- (no CPE)range: < 12.2.1-r0
- (no CPE)range: < 12.2.1-r0
- (no CPE)range: >= 1.8, < 39.0.1
- (no CPE)range: < 3.9.18-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 20.3.0-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.14.3-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.0.4-19.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.3.1-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 0.29.21-5.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.9.18-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 3.9.18-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 3.9.18-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 2.10-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.1.1-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.9.18-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 4.6.5-1.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 4.7.1-7.module_el8.9.0+3634+fb2a896c
- (no CPE)range: < 8.5.0-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.19.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.19.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.19.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 20.4-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 20.2.4-9.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 20.2.4-9.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 0.13.1-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.11-10.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 5.8.0-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.8.6-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 2.8.6-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 2.8.6-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 1.10.0-1.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.7.1-1.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.7.1-1.module_el8.6.0+3248+c431e88c
- (no CPE)range: < 2.20-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 0.10.1-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.4.7-5.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.7.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 6.0.2-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 5.4.1-1.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.25.0-3.module_el8.9.0+3634+fb2a896c
- (no CPE)range: < 3.9.18-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 1.5.4-5.module_el8.9.0+3634+fb2a896c
- (no CPE)range: < 50.3.2-5.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 50.3.2-5.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 1.15.0-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.9.18-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 3.9.18-3.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 0.10.1-5.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.25.10-5.module_el8.10.0+3765+2f9a457d
- (no CPE)range: < 0.2.5-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1:0.35.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1:0.35.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 36.0.1-4.el9
- (no CPE)range: < 3.3.2-150400.16.6.1
- (no CPE)range: < 3.3.2-150400.16.6.1
- (no CPE)range: < 1.10.0-4.3.1
- (no CPE)range: < 1.11.5-5.19.1
- (no CPE)range: < 1.11.5-5.19.1
- (no CPE)range: < 1.10.0-4.3.1
- (no CPE)range: < 1.11.5-3.3.1
- (no CPE)range: < 1.10.0-4.3.1
- (no CPE)range: < 1.11.5-3.3.1
- (no CPE)range: < 2.0.3-3.14.2
- (no CPE)range: < 2.9.2-150100.7.12.1
- (no CPE)range: < 3.3.2-150200.19.1
- (no CPE)range: < 3.3.2-150200.19.1
- (no CPE)range: < 3.3.2-150400.16.6.1
- (no CPE)range: < 3.3.2-150400.16.6.1
- (no CPE)range: < 3.3.2-150400.16.6.1
- (no CPE)range: < 3.3.2-150200.19.1
- (no CPE)range: < 2.8-7.40.1
- (no CPE)range: < 2.9.2-150100.7.12.1
- (no CPE)range: < 2.8-7.40.1
- (no CPE)range: < 2.9.2-150100.7.12.1
- (no CPE)range: < 2.0.3-3.14.2
- (no CPE)range: < 2.3.1-3.6.6
- (no CPE)range: < 2.0.3-3.14.2
- (no CPE)range: < 2.3.1-3.6.6
- (no CPE)range: < 5.1.1~dev7-12.44.1
- (no CPE)range: < 5.1.1~dev7-12.44.1
- (no CPE)range: < 5.0.2~dev3-12.47.1
- (no CPE)range: < 5.0.2~dev3-12.47.1
- (no CPE)range: < 7.0.1~dev24-3.41.2
- (no CPE)range: < 9.0.8~dev7-12.42.1
- (no CPE)range: < 9.0.8~dev7-12.42.1
- (no CPE)range: < 11.2.3~dev29-14.46.1
- (no CPE)range: < 11.2.3~dev29-14.46.1
- (no CPE)range: < 13.0.10~dev24-3.42.3
- (no CPE)range: < 5.0.3~dev7-12.43.1
- (no CPE)range: < 5.0.3~dev7-12.43.1
- (no CPE)range: < 7.0.2~dev2-3.39.2
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.40.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.40.1
- (no CPE)range: < 15.0.3~dev3-12.43.1
- (no CPE)range: < 15.0.3~dev3-12.43.1
- (no CPE)range: < 17.0.1~dev30-3.37.2
- (no CPE)range: < 9.0.8~dev22-12.49.1
- (no CPE)range: < 9.0.8~dev22-12.49.1
- (no CPE)range: < 11.0.4~dev4-3.41.2
- (no CPE)range: < 12.0.5~dev6-14.52.1
- (no CPE)range: < 14.1.1~dev11-4.47.2
- (no CPE)range: < 12.0.5~dev6-14.52.1
- (no CPE)range: < 9.1.8~dev8-12.45.1
- (no CPE)range: < 9.1.8~dev8-12.45.1
- (no CPE)range: < 11.1.5~dev18-4.37.2
- (no CPE)range: < 12.0.4~dev11-11.49.1
- (no CPE)range: < 12.0.4~dev11-11.49.1
- (no CPE)range: < 14.2.1~dev9-3.40.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.44.1
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.44.1
- (no CPE)range: < 7.2.1~dev1-4.39.3
- (no CPE)range: < 5.1.1~dev5-12.49.1
- (no CPE)range: < 5.1.1~dev5-12.49.1
- (no CPE)range: < 7.4.2~dev60-3.45.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.40.1
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.40.1
- (no CPE)range: < 1.8.2~dev3-3.39.2
- (no CPE)range: < 2.2.2~dev1-11.49.1
- (no CPE)range: < 2.2.2~dev1-11.49.1
- (no CPE)range: < 2.7.1~dev10-3.41.2
- (no CPE)range: < 4.0.2~dev3-12.42.1
- (no CPE)range: < 4.0.2~dev3-12.42.1
- (no CPE)range: < 11.0.9~dev69-13.50.1
- (no CPE)range: < 11.0.9~dev69-13.50.1
- (no CPE)range: < 13.0.8~dev209-6.47.2
- (no CPE)range: < 16.1.9~dev92-11.48.1
- (no CPE)range: < 16.1.9~dev92-11.48.1
- (no CPE)range: < 18.3.1~dev92-3.47.2
- (no CPE)range: < 1.0.6~dev3-12.45.1
- (no CPE)range: < 1.0.6~dev3-12.45.1
- (no CPE)range: < 3.2.3~dev7-4.39.2
- (no CPE)range: < 7.0.5~dev4-11.44.1
- (no CPE)range: < 7.0.5~dev4-11.44.1
- (no CPE)range: < 9.0.2~dev15-3.39.2
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.35.1
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.35.1
- (no CPE)range: < 2.19.2~dev48-2.34.2
- (no CPE)range: < 8.0.2~dev2-11.44.1
- (no CPE)range: < 8.0.2~dev2-11.44.1
pyca/cryptographyv5
Range: >=1.8, < 39.0.1

Patches

d6951dca25de

changelog + security fix backport (#8231)

https://github.com/pyca/cryptographyPaul KehrerFeb 7, 2023via ghsa

commit

5 files changed · +20 −3

CHANGELOG.rst+9 −0 modified

@@ -1,6 +1,15 @@
 Changelog
 =========
 
+.. _v39-0-1:
+
+39.0.1 - 2023-02-07
+~~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python
+  buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931**
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.
+
 .. _v39-0-0:
 
 39.0.0 - 2023-01-01

src/cryptography/__about__.py+1 −1 modified

@@ -9,7 +9,7 @@
     "__copyright__",
 ]
 
-__version__ = "39.0.0"
+__version__ = "39.0.1"
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
 __copyright__ = "Copyright 2013-2022 {}".format(__author__)

src/cryptography/hazmat/backends/openssl/ciphers.py+1 −1 modified

@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int:
         data_processed = 0
         total_out = 0
         outlen = self._backend._ffi.new("int *")
-        baseoutbuf = self._backend._ffi.from_buffer(buf)
+        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
         baseinbuf = self._backend._ffi.from_buffer(data)
 
         while data_processed != total_data_len:

tests/hazmat/primitives/test_ciphers.py+8 −0 modified

@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend):
         with pytest.raises(ValueError):
             encryptor.update_into(b"testing", buf)
 
+    def test_update_into_immutable(self, backend):
+        key = b"\x00" * 16
+        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+        encryptor = c.encryptor()
+        buf = b"\x00" * 32
+        with pytest.raises((TypeError, BufferError)):
+            encryptor.update_into(b"testing", buf)
+
     @pytest.mark.supported(
         only_if=lambda backend: backend.cipher_supported(
             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)

vectors/cryptography_vectors/__about__.py+1 −1 modified

@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "39.0.0"
+__version__ = "39.0.1"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w7pp-m8wf-vj6rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-23931ghsaADVISORY
github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4eghsaWEB
github.com/pyca/cryptography/pull/8230ghsaWEB
github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3mitrex_refsource_MISC
github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6rghsax_refsource_CONFIRMWEB
github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yamlghsaWEB
lists.debian.org/debian-lts-announce/2024/10/msg00012.htmlghsaWEB
security.netapp.com/advisory/ntap-20230324-0007ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000