From eb3aa7c08a2ef69e51bd8f62fdc1b6ae0217b996 Mon Sep 17 00:00:00 2001 From: martinPavesio Date: Thu, 28 May 2026 20:22:34 -0300 Subject: [PATCH 1/8] Backport CVE-2026-26007: validate EC public key subgroup membership Add EC_KEY_check_key() to CFFI bindings and call it after all three EC public key construction paths in the OpenSSL backend: - load_der_public_key / load_pem_public_key (after EVP_PKEY_get1_EC_KEY) - _ec_key_set_public_key_affine_coordinates (covers load_elliptic_curve_public_numbers) - load_elliptic_curve_public_bytes (EC_POINT_oct2point path) Without this check an attacker could supply a small-order subgroup key to leak private key bits via ECDH or forge ECDSA signatures. GHSA-r6ph-v2qm-q3c2 / CVE-2026-26007. Upstream fix: cryptography 46.0.5. --- src/_cffi_src/openssl/ec.py | 1 + .../hazmat/backends/openssl/backend.py | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 6432fc22e9e0..5f1b212afdea 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -55,6 +55,7 @@ int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *); void EC_KEY_set_asn1_flag(EC_KEY *, int); int EC_KEY_generate_key(EC_KEY *); +int EC_KEY_check_key(const EC_KEY *); int EC_KEY_set_public_key_affine_coordinates(EC_KEY *, BIGNUM *, BIGNUM *); EC_POINT *EC_POINT_new(const EC_GROUP *); diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 8ff1e50130da..16ebed98ca03 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -753,6 +753,11 @@ def _evp_pkey_to_public_key(self, evp_pkey): ec_cdata = self._lib.EVP_PKEY_get1_EC_KEY(evp_pkey) self.openssl_assert(ec_cdata != self._ffi.NULL) ec_cdata = self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) + # Backport of CVE-2026-26007: validate subgroup membership + res = self._lib.EC_KEY_check_key(ec_cdata) + if res != 1: + self._consume_errors() + raise ValueError("Invalid EC key.") return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) elif key_type in self._dh_types: dh_cdata = self._lib.EVP_PKEY_get1_DH(evp_pkey) @@ -1610,6 +1615,11 @@ def load_elliptic_curve_public_bytes(self, curve, point_bytes): res = self._lib.EC_KEY_set_public_key(ec_cdata, point) self.openssl_assert(res == 1) + # Backport of CVE-2026-26007: validate subgroup membership + res = self._lib.EC_KEY_check_key(ec_cdata) + if res != 1: + self._consume_errors() + raise ValueError("Invalid EC key.") evp_pkey = self._ec_cdata_to_evp_pkey(ec_cdata) return _EllipticCurvePublicKey(self, ec_cdata, evp_pkey) @@ -1883,6 +1893,12 @@ def _ec_key_set_public_key_affine_coordinates(self, ctx, x, y): self._consume_errors() raise ValueError("Invalid EC key.") + # Backport of CVE-2026-26007: validate subgroup membership + res = self._lib.EC_KEY_check_key(ctx) + if res != 1: + self._consume_errors() + raise ValueError("Invalid EC key.") + return ctx def _private_key_bytes( From a898d8a208a3c183e010fa8cb9b30995df223190 Mon Sep 17 00:00:00 2001 From: martinPavesio Date: Thu, 28 May 2026 20:22:34 -0300 Subject: [PATCH 2/8] Release 3.3.2+security.2 Version string: 3.3.2+security.2 (PEP 440 local identifier) Git tag: 3.3.2.2 CHANGELOG.rst updated with security release notes. --- CHANGELOG.rst | 12 ++++++++++++ src/cryptography/__about__.py | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c69c0d9c90be..32a5e86dd612 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,18 @@ Changelog ========= +.. _v3-3-2-2: + +3.3.2+security.2 - 2026-05-28 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* **SECURITY ISSUE** - Fixed missing EC public key subgroup membership + validation in all public key loading paths. An attacker could supply a + public key from a small-order subgroup to leak private key bits via ECDH + (CRT attack) or forge ECDSA signatures. Added ``EC_KEY_check_key()`` call + to CFFI bindings and all three EC public key construction paths in the + OpenSSL backend. **CVE-2026-26007** (GHSA-r6ph-v2qm-q3c2) + .. _v3-3-2-1: 3.3.2.1 - 2024-01-18 diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index ad7507ff6a61..5421a2b40c6e 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -22,7 +22,7 @@ ) __uri__ = "https://github.com/pyca/cryptography" -__version__ = "3.3.2.1" +__version__ = "3.3.2+security.2" __author__ = "The cryptography developers" __email__ = "cryptography-dev@python.org" From 903f8cffa6693ef5247d7fe4baf96613936d9d3f Mon Sep 17 00:00:00 2001 From: martinPavesio Date: Fri, 29 May 2026 12:02:54 -0300 Subject: [PATCH 3/8] Security assessment: CVE-2023-0286 not applicable (system OpenSSL, not bundled wheels) --- CHANGELOG.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 32a5e86dd612..bdf41d30ff16 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,15 @@ Changelog ========= +.. _security-assessment-cve-2023-0286: + +Security Assessment - CVE-2023-0286 (GHSA-x4qr-2fvf-3mr5) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* **NOT APPLICABLE** - OpenSSL X.509 GeneralName type confusion. The ActiveState + Platform build links against system OpenSSL (1.11.0.23), not bundled OpenSSL + wheels. System OpenSSL >= 1.1.1t contains the fix. No code change required. + .. _v3-3-2-2: 3.3.2+security.2 - 2026-05-28 From 5e01d31bdd8b3a80b380e8d76acdd2d3c019970c Mon Sep 17 00:00:00 2001 From: martinPavesio Date: Fri, 29 May 2026 12:04:59 -0300 Subject: [PATCH 4/8] Security assessment: CVE-2023-50782 cannot fix at CFFI layer (requires OpenSSL 3.2+ constant-time RSA) --- CHANGELOG.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index bdf41d30ff16..1175a0c32dd8 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,16 @@ Changelog ========= +.. _security-assessment-cve-2023-50782: + +Security Assessment - CVE-2023-50782 (GHSA-3ww4-gg4f-jr7f) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* **CANNOT FIX AT CFFI LAYER** - RSA PKCS#1 v1.5 Bleichenbacher timing oracle. + Constant-time RSA decryption requires OpenSSL 3.2+. Our build uses system + OpenSSL 1.1.x; no Python/CFFI code change can address this timing property. + Applications requiring constant-time PKCS#1v1.5 must migrate to a newer OpenSSL. + .. _security-assessment-cve-2023-0286: Security Assessment - CVE-2023-0286 (GHSA-x4qr-2fvf-3mr5) From 87816d3241f15b8d6c98467b6e7a31bb8544c3d5 Mon Sep 17 00:00:00 2001 From: martinPavesio Date: Fri, 29 May 2026 12:04:59 -0300 Subject: [PATCH 5/8] Security assessment: CVE-2024-0727 not applicable (OpenSSL 3.x only, we use 1.x) --- CHANGELOG.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1175a0c32dd8..b1e2c8ca95af 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,15 @@ Changelog ========= +.. _security-assessment-cve-2024-0727: + +Security Assessment - CVE-2024-0727 (GHSA-9v9h-cgj8-h64p) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* **NOT APPLICABLE** - OpenSSL PKCS#12 null pointer dereference. Fixed in + OpenSSL 3.0.13 / 3.1.5 / 3.2.1 (OpenSSL 3.x series only). Our build uses + system OpenSSL 1.1.x which is unaffected by this vulnerability. + .. _security-assessment-cve-2023-50782: Security Assessment - CVE-2023-50782 (GHSA-3ww4-gg4f-jr7f) From 566a979ceedf63c56e56ef16c2aaed4559f27c23 Mon Sep 17 00:00:00 2001 From: martinPavesio Date: Fri, 29 May 2026 12:04:59 -0300 Subject: [PATCH 6/8] Security assessment: CVE-2026-34073 not applicable (x509.verification API not in 3.3.2) --- CHANGELOG.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b1e2c8ca95af..4344ac432b4f 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,16 @@ Changelog ========= +.. _security-assessment-cve-2026-34073: + +Security Assessment - CVE-2026-34073 (GHSA-m959-cc7f-wv43) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* **NOT APPLICABLE** - Name constraint bypass on wildcard SANs during X.509 + verification. The fix is in the x509.verification module + (CertificateVerificationContext) first introduced in cryptography 40.0. + This API does not exist in 3.3.2 — the vulnerable code path is absent. + .. _security-assessment-cve-2024-0727: Security Assessment - CVE-2024-0727 (GHSA-9v9h-cgj8-h64p) From 31ef0b86f6213c058e2cdaa824d4277c4b4b8e70 Mon Sep 17 00:00:00 2001 From: martinPavesio Date: Fri, 29 May 2026 12:04:59 -0300 Subject: [PATCH 7/8] Security assessment: GHSA-5cpq/jm77/v8gr not applicable (OpenSSL bundled-wheel CVEs, we use system 1.x) --- CHANGELOG.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4344ac432b4f..036110c47db6 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,15 @@ Changelog ========= +.. _security-assessment-ghsa-5cpq-jm77-v8gr: + +Security Assessment - GHSA-5cpq-8wj7-hf2v, GHSA-jm77-qphf-c4w8, GHSA-v8gr-m533-ghj9 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +* **NOT APPLICABLE** - Three OpenSSL vulnerabilities affecting bundled-wheel + distributions only (OpenSSL 3.x series). Our build uses system OpenSSL 1.1.x + which is unaffected. No code change required. + .. _security-assessment-cve-2026-34073: Security Assessment - CVE-2026-34073 (GHSA-m959-cc7f-wv43) From b67c0779df45225b5faaa13cd956a4f5fbc9024d Mon Sep 17 00:00:00 2001 From: martinPavesio Date: Fri, 29 May 2026 12:05:36 -0300 Subject: [PATCH 8/8] Release 3.3.2+security.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Version string: 3.3.2+security.3 (PEP 440 local identifier) Git tag: 3.3.2.3 Security assessment entries for 7 CVEs — all not applicable or not fixable at the CFFI layer for this Python 2.7 / system OpenSSL build. --- CHANGELOG.rst | 5 +++++ src/cryptography/__about__.py | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 036110c47db6..18a2882ccb54 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,11 @@ Changelog ========= +.. _v3-3-2-3: + +3.3.2+security.3 - 2026-05-29 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + .. _security-assessment-ghsa-5cpq-jm77-v8gr: Security Assessment - GHSA-5cpq-8wj7-hf2v, GHSA-jm77-qphf-c4w8, GHSA-v8gr-m533-ghj9 diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 5421a2b40c6e..b04c41d0e1bb 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -22,7 +22,7 @@ ) __uri__ = "https://github.com/pyca/cryptography" -__version__ = "3.3.2+security.2" +__version__ = "3.3.2+security.3" __author__ = "The cryptography developers" __email__ = "cryptography-dev@python.org"