CVE-2024-26130

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26130
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26130.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26130
Aliases
Downstream
Related
Published
2024-02-21T16:28:18Z
Modified
2025-10-30T20:24:56.232586Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override
Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError is properly raised.

Database specific 
{
    "cwe_ids": [
        "CWE-476"
    ]
}
References

Affected packages

Git / github.com/pyca/cryptography

Affected ranges

Type
GIT
Repo
https://github.com/pyca/cryptography
Events
Introduced
52d6f1a491f6ade379ace124b843ffba9fb4ab4f
Fixed
fe18470f7d05f963e7267e34fdf985d81ea6ceea

Affected versions

38.*

38.0.0

39.*

39.0.0

40.*

40.0.0

41.*

41.0.0

42.*

42.0.0
42.0.1
42.0.2
42.0.3