Buffer Overflow in cryptography 45.x-46.0.6 via non-contiguous buffers
CVE-2026-39892 Published on April 8, 2026

cryptography has a buffer overflow if non-contiguous buffers were passed to APIs
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.

NVD

Vulnerability Analysis

CVE-2026-39892 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

LOW

Weakness Types

What is a Buffer Overflow Vulnerability?

The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

CVE-2026-39892 has been classified to as a Buffer Overflow vulnerability or weakness.

Incorrect Calculation of Buffer Size

The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

Products Associated with CVE-2026-39892

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Ansible Automation Platform

Red Hat Ansible Automation Platform Developer

Red Hat Ansible Automation Platform Inside

Red Hat Ai Inference Server

Red Hat Discovery

Red Hat Hummingbird

Red Hat Openshift Ai

Red Hat Quay

Red Hat Trusted Artifact Signer

Red Hat Lightspeed Core

Red Hat Migration Toolkit Applications

Red Hat Ansible Core

Red Hat Enterprise Linux (RHEL)

Red Hat Enterprise Linux Ai

Red Hat Satellite

Red Hat Openshift Lightspeed

Affected Versions

pyca cryptography:

Version >= 45.0.0, < 46.0.7 is affected.

Red Hat Ansible Automation Platform 2.5 for RHEL 8: Red Hat Ansible Automation Platform 2.5 for RHEL 9: Red Hat Ansible Automation Platform 2.6 for RHEL 9: Red Hat AI Inference Server 3.3: Red Hat Ansible Automation Platform 2.6: Red Hat Discovery 2: Red Hat Hardened Images: Red Hat OpenShift AI 2.25: Red Hat Quay 3.12: Red Hat Quay 3.14: Red Hat Quay 3.15: Red Hat Quay 3.16: Red Hat Quay 3.17: Red Hat Quay 3.1: Red Hat Quay 3.9: Red Hat Trusted Artifact Signer 1.4: Red Hat Lightspeed Core: Red Hat Migration Toolkit for Applications 8: Red Hat AI Inference Server: Red Hat Ansible Automation Platform 2: Red Hat Ansible Automation Platform Ansible Core 2: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat OpenShift AI (RHOAI): Red Hat Quay 3: Red Hat Satellite 6: Red Hat Ansible Automation Platform 2.6 for RHEL 10: Red Hat OpenShift Lightspeed:

Exploit Probability

EPSS

0.53%

Percentile

40.28%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Buffer Overflow in cryptography 45.x-46.0.6 via non-contiguous buffersCVE-2026-39892 Published on April 8, 2026