Cryptography Library Patches Critical Private Key Leak in Rare Binary Curves (CVE-2026-26007)

A critical vulnerability in the widely-used Python cryptography library has been patched, exposing a potential path for attackers to extract portions of a user's private key. The flaw, tracked as CVE-2026-26007, was discovered in the library's handling of specific, uncommon elliptic curves. An attacker could exploit this by crafting a malicious public key, which, when processed by a vulnerable system, could leak sensitive fragments of the corresponding private key.

The issue specifically affects binary elliptic curves (SECT* curves), which are noted as being rarely used in real-world applications. The vulnerability was reported by the XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine. In response, the maintainers have released cryptography version 46.0.5, which introduces additional security checks to prevent the attack. Concurrently, support for these SECT* binary curves has been officially deprecated and is slated for removal in the library's next major release.

While the practical impact is limited due to the niche use of the affected curves, the patch underscores the ongoing scrutiny of cryptographic implementations. The swift deprecation of the vulnerable component signals a proactive move to eliminate a potential attack vector entirely. This update is now being propagated through dependency management systems, as seen in automated pull requests to bump the version in projects like `nl2sql_src`, highlighting the downstream security maintenance required across the software ecosystem.