CVE-2026-39892
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk47th percentile - higher than 47% of all known CVEs
Summary
A vulnerability in the cryptography library for Python allows buffer overflow when processing non-contiguous buffers passed to APIs such as Hash.update(). The issue affects versions from 45.0.0 to 46.0.6.
Risk Assessment
An attacker could exploit this vulnerability to execute code or cause application crashes, potentially leading to data confidentiality or integrity breaches.
Recommendation
Immediately update the cryptography library to version 46.0.7 or later.
Original NVD description (English source)
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

