Critical severity9.8NVD Advisory· Published Apr 8, 2026· Updated Apr 15, 2026
CVE-2026-39892
CVE-2026-39892
Description
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cryptographyPyPI | >= 45.0.0, < 46.0.7 | 46.0.7 |
Affected products
75- osv-coords74 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-2pkg:apk/chainguard/airflow-core-3pkg:apk/chainguard/apache-beam-python-3.11-sdkpkg:apk/chainguard/apache-beam-python-3.12-sdkpkg:apk/chainguard/apache-beam-python-3.13-sdkpkg:apk/chainguard/authentik-2025.12pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/barman-cloudnative-pgpkg:apk/chainguard/dagsterpkg:apk/chainguard/dask-kubernetespkg:apk/chainguard/datadog-agent-7.71-core-integrationspkg:apk/chainguard/datadog-agent-7.72-core-integrationspkg:apk/chainguard/datadog-agent-7.74-core-integrationspkg:apk/chainguard/datadog-agent-7.75-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.71-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.72-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.73-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.74-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.75-core-integrationspkg:apk/chainguard/ggshieldpkg:apk/chainguard/gitlab-toolbox-ce-fips-18.7pkg:apk/chainguard/in-totopkg:apk/chainguard/jupyter-base-notebookpkg:apk/chainguard/k8s-sidecarpkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/kubeflow-jupyter-web-apppkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/kubeflow-volumes-web-apppkg:apk/chainguard/label-studiopkg:apk/chainguard/localstackpkg:apk/chainguard/metaflow-servicepkg:apk/chainguard/mitmproxypkg:apk/chainguard/myclipkg:apk/chainguard/nemopkg:apk/chainguard/opalpkg:apk/chainguard/open-webuipkg:apk/chainguard/pgadmin4pkg:apk/chainguard/pgadmin4-fipspkg:apk/chainguard/py3.11-prefectpkg:apk/chainguard/py3.12-prefectpkg:apk/chainguard/py3.13-prefectpkg:apk/chainguard/py3.14-prefectpkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/request-1276pkg:apk/chainguard/semgreppkg:apk/chainguard/superset-5.0pkg:apk/chainguard/superset-6.0pkg:apk/chainguard/tritonserver-backend-vllm-cuda-13.0pkg:apk/chainguard/vllm-openai-cuda-12.9pkg:apk/chainguard/wazuh-manager-frameworkpkg:apk/wolfi/airflow-3pkg:apk/wolfi/dask-kubernetespkg:apk/wolfi/datadog-agent-7.72-core-integrationspkg:apk/wolfi/datadog-agent-7.74-core-integrationspkg:apk/wolfi/datadog-agent-7.75-core-integrationspkg:apk/wolfi/ggshieldpkg:apk/wolfi/in-totopkg:apk/wolfi/jupyter-base-notebookpkg:apk/wolfi/k8s-sidecarpkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/kubeflow-jupyter-web-apppkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/kubeflow-volumes-web-apppkg:apk/wolfi/mitmproxypkg:apk/wolfi/myclipkg:apk/wolfi/open-webuipkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/semgreppkg:apk/wolfi/superset-5.0pkg:apk/wolfi/superset-6.0pkg:pypi/cryptographypkg:rpm/opensuse/python-cryptography&distro=openSUSE%20Tumbleweed
< 2.11.2-r8+ 73 more
- (no CPE)range: < 2.11.2-r8
- (no CPE)range: < 3.2.0-r1
- (no CPE)range: < 2.11.2-r5
- (no CPE)range: < 3.2.0-r2
- (no CPE)range: < 2.73.0-r6
- (no CPE)range: < 2.72.0-r2
- (no CPE)range: < 2.73.0-r4
- (no CPE)range: < 2025.12.4-r3
- (no CPE)range: < 2026.2.1-r3
- (no CPE)range: < 3.18.0-r2
- (no CPE)range: < 1.13.2-r0
- (no CPE)range: < 2026.3.0-r3
- (no CPE)range: < 7.71.2-r26
- (no CPE)range: < 7.72.4-r27
- (no CPE)range: < 7.74.1-r19
- (no CPE)range: < 7.75.4-r6
- (no CPE)range: < 7.71.2-r20
- (no CPE)range: < 7.72.4-r18
- (no CPE)range: < 7.73.3-r17
- (no CPE)range: < 7.74.1-r16
- (no CPE)range: < 7.75.4-r4
- (no CPE)range: < 1.51.0-r5
- (no CPE)range: < 18.7.6-r2
- (no CPE)range: < 3.1.0-r0
- (no CPE)range: < 7.5.5-r4
- (no CPE)range: < 2.6.0-r0
- (no CPE)range: < 0.16.0-r25
- (no CPE)range: < 1.10.0-r15
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 1.10.0-r16
- (no CPE)range: < 1.23.0-r3
- (no CPE)range: < 4.14.0-r8
- (no CPE)range: < 2.5.0-r10
- (no CPE)range: < 12.2.2-r1
- (no CPE)range: < 1.68.1-r0
- (no CPE)range: < 2.7.2-r2
- (no CPE)range: < 0.9.4-r2
- (no CPE)range: < 0.8.12-r3
- (no CPE)range: < 9.14-r1
- (no CPE)range: < 9.14-r1
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 0.27.1-r2
- (no CPE)range: < 0.27.1-r2
- (no CPE)range: < 1.160.0-r0
- (no CPE)range: < 5.0.0-r23
- (no CPE)range: < 6.0.0-r8
- (no CPE)range: < 25.11-r4
- (no CPE)range: < 0.19.0-r0
- (no CPE)range: < 4.14.4-r5
- (no CPE)range: < 3.2.0-r1
- (no CPE)range: < 2026.3.0-r3
- (no CPE)range: < 7.72.4-r27
- (no CPE)range: < 7.74.1-r19
- (no CPE)range: < 7.75.4-r6
- (no CPE)range: < 1.51.0-r5
- (no CPE)range: < 3.1.0-r0
- (no CPE)range: < 7.5.5-r4
- (no CPE)range: < 2.6.0-r0
- (no CPE)range: < 0.16.0-r25
- (no CPE)range: < 1.10.0-r15
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 1.10.0-r16
- (no CPE)range: < 12.2.2-r1
- (no CPE)range: < 1.68.1-r0
- (no CPE)range: < 0.8.12-r3
- (no CPE)range: < 0.27.1-r2
- (no CPE)range: < 1.160.0-r0
- (no CPE)range: < 5.0.0-r23
- (no CPE)range: < 6.0.0-r8
- (no CPE)range: >= 45.0.0, < 46.0.7
- (no CPE)range: < 46.0.7-1.1
Patches
Vulnerability mechanics
References
5- www.openwall.com/lists/oss-security/2026/04/08/12nvdMailing ListRelease NotesThird Party AdvisoryWEB
- github.com/advisories/GHSA-p423-j2cm-9vmqghsaADVISORY
- github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmqnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39892ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2026-36.yamlghsaWEB
News mentions
0No linked articles in our index yet.