CRITICAL 9.8

PYSEC-2026-36

Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / cryptography

Introduced in: 45.0.0 Fixed in: 46.0.7

Fix pip install --upgrade 'cryptography>=46.0.7'

References

http://www.openwall.com/lists/oss-security/2026/04/08/12 [ADVISORY]
https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq [ADVISORY]