Cryptography

This hub aggregates every CVE we track for Cryptography, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Cryptography.

• CVE-2026-39892cryptography has a buffer overflow if non-contiguous buffers were passed to APIs9.8Apr 8, 2026
• CVE-2026-34073cryptography has incomplete DNS name constraint enforcement on peer names5.3Mar 31, 2026
• CVE-2026-26007cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves6.5Feb 10, 2026
• CVE-2024-12797RFC7250 handshakes with unauthenticated servers don't abort as expected6.3Feb 11, 2025
• CVE-2024-26130cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override7.5Feb 21, 2024
• CVE-2023-50782Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-256597.5Feb 5, 2024
• CVE-2024-0727PKCS12 Decoding crashes5.5Jan 26, 2024
• CVE-2023-49083cryptography vulnerable to NULL-dereference when loading PKCS7 certificates5.9Nov 29, 2023
• CVE-2023-38325The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.7.5Jul 14, 2023
• CVE-2023-0286X.400 address type confusion in X.509 GeneralName7.4Feb 8, 2023
• CVE-2023-23931Cipher.update_into can corrupt memory in pyca cryptography4.8Feb 7, 2023
• CVE-2020-36242In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstra...9.1Feb 7, 2021
• CVE-2020-25659python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.5.9Jan 11, 2021
• CVE-2018-10903A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passi...7.5Jul 30, 2018
• CVE-2016-9243HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.7.5Mar 27, 2017