Python/cryptography/46.0.6

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

https://pypi.org/project/cryptography
UNKNOWN

2 Security Vulnerabilities

Vulnerable OpenSSL included in cryptography wheels

Published date: 2026-06-15T20:12:27Z
Links:

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.

If you are building cryptography source (sdist) then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Affected versions: ["48.0.0", "47.0.0", "46.0.7", "46.0.6", "46.0.5", "46.0.4", "46.0.3", "46.0.2", "46.0.1", "46.0.0", "45.0.7", "45.0.6", "45.0.5", "45.0.4", "45.0.3", "45.0.2", "45.0.1", "45.0.0", "44.0.3", "44.0.2", "44.0.1", "44.0.0", "43.0.3", "43.0.1", "43.0.0", "43.0.0.dev1", "42.0.8", "42.0.7", "42.0.6", "42.0.5", "42.0.4", "42.0.3", "42.0.2", "42.0.1", "42.0.0", "41.0.7", "41.0.6", "41.0.5", "41.0.4", "41.0.3", "41.0.2", "41.0.1", "41.0.0", "40.0.2", "40.0.1", "40.0.0", "39.0.2", "39.0.1", "39.0.0", "38.0.4", "38.0.3", "38.0.2", "38.0.1", "38.0.0", "37.0.4", "37.0.3", "37.0.2", "37.0.1", "37.0.0", "36.0.2", "36.0.1", "36.0.0", "35.0.0", "3.4.8", "3.4.7", "3.4.6", "3.4.5", "3.4.4", "3.4.3", "3.4.2", "3.4.1", "3.4", "3.3.2", "3.3.1", "3.3", "3.2.1", "3.2", "3.1.1", "3.1", "3.0", "2.9.2", "2.9.1", "2.9", "2.8", "2.7", "2.6.1", "2.6", "2.5", "2.4.2", "2.4.1", "2.4", "2.3.1", "2.3", "2.2.2", "2.2.1", "2.2", "2.1.4", "2.1.3", "2.1.2", "2.1.1", "2.1", "2.0.3", "2.0.2", "2.0.1", "2.0", "1.9", "1.8.2", "1.8.1", "1.8", "1.7.2", "1.7.1", "1.7", "1.6", "1.5.3", "1.5.2", "1.5.1", "1.5", "1.4", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3", "1.2.3", "1.2.2", "1.2.1", "1.2", "1.1.2", "1.1.1", "1.1", "1.0.2", "1.0.1", "1.0", "0.9.3", "0.9.2", "0.9.1", "0.9", "0.8.2", "0.8.1", "0.8", "0.7.2", "0.7.1", "0.7", "0.6.1", "0.6", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5"]
Secure versions: [48.0.1, 49.0.0]
Recommendation: Update to version 49.0.0.

Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs

Published date: 2026-04-08T19:23:08Z
CVE: CVE-2026-39892
Links:

If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. For example:

h = Hash(SHA256())
b.update(buf[::-1])

would read past the end of the buffer on Python >3.11

Affected versions: ["46.0.6", "46.0.5", "46.0.4", "46.0.3", "46.0.2", "46.0.1", "46.0.0", "45.0.7", "45.0.6", "45.0.5", "45.0.4", "45.0.3", "45.0.2", "45.0.1", "45.0.0"]
Secure versions: [48.0.1, 49.0.0]
Recommendation: Update to version 49.0.0.

158 Other Versions

Version License Security Released
0.5.1 Apache-2.0 8 2014-07-08 - 03:26 almost 12 years
0.5 Apache-2.0 8 2014-07-07 - 18:13 almost 12 years
0.4 Apache-2.0 6 2014-05-03 - 14:57 about 12 years
0.3 Apache-2.0 6 2014-03-27 - 21:10 about 12 years
0.2.2 Apache-2.0 6 2014-03-04 - 02:00 over 12 years
0.2.1 Apache-2.0 6 2014-02-22 - 21:55 over 12 years
0.2 Apache-2.0 6 2014-02-20 - 19:50 over 12 years
0.1 Apache-2.0 6 2014-01-08 - 23:17 over 12 years