Python cryptography Library Patches Critical Private Key Leak in Binary Elliptic Curves (CVE-2026-26007)

A critical vulnerability in the widely-used Python cryptography library has been patched, potentially exposing portions of a user's private key under a specific attack. The flaw, tracked as CVE-2026-26007, was discovered in the library's handling of certain uncommon elliptic curves, known as binary curves. An attacker could exploit this by crafting a malicious public key, which, when processed by a vulnerable system, could leak sensitive parts of the corresponding private key.

The issue was reported by the XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine. The maintainers have released version 46.0.5, which introduces additional security checks to prevent the attack. The vulnerability is contained to the rarely used binary elliptic curves, specifically those designated as `SECT*` curves. In a significant move, the library has now deprecated support for these `SECT*` curves entirely, with plans to remove them in the next release.

While the impact is limited due to the niche use of binary curves, the patch is a critical security update for any project that may have implemented them. The disclosure highlights the ongoing scrutiny of cryptographic implementations by major security research teams and the swift response from open-source maintainers. Developers are urged to update their dependencies to cryptography 46.0.5 or later to mitigate any potential risk.