CVE-2024-26130

Aliases:GHSA-6vqw-3v5j-54x4PYSEC-2024-225

Advisory lineage Upstream: 0 Downstream: 12

Downstream

DEBIAN-CVE-2024-26130 MGASA-2025-0069 OPENSUSE-SU-2024:13710-1 RHSA-2024:3781 RHSA-2024:7987 RHSA-2025:1335

Analyzed

Published: 21 Feb 2024, 16:28

Last modified:14 Aug 2024, 20:01

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.44% LOW

0% probability +0.10%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

21 Feb 2024, 16:28

Published

Vulnerability first disclosed

14 Aug 2024, 20:01

Last Modified

Vulnerability information updated

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.44%• Percentile: 63%

Techniques & Countermeasures

CWE-476•NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.

Affected Systems

cryptography.io•cryptography
≥ 38.0.0, < 42.0.4
pyca•cryptography
≥ 38.0.0, < 42.0.4
PyPI•cryptography
≥ 38.0.0, < 42.0.4 | < 97d231672763cdb5959a3b191e692a362f1b9e55