Python cryptography Library Patches Critical Private Key Leak in Rare Binary Curves (CVE-2026-26007)

A critical vulnerability in the widely-used Python cryptography library could allow an attacker to steal portions of a user's private key. The flaw, tracked as CVE-2026-26007, was discovered in the library's handling of specific, uncommon elliptic curves known as binary curves. An attacker could exploit this by crafting a malicious public key, which, when processed by a vulnerable version of the library, would leak sensitive fragments of the corresponding private key. The maintainers have released version 46.0.5 to patch the issue, adding new security checks to block the attack vector.

The vulnerability was reported by the XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine. The cryptography library is a foundational security component for countless Python applications, providing essential cryptographic primitives. The maintainers emphasize that the risk is limited, as the affected binary curves (specifically the `SECT*` family) are rarely used in real-world applications. However, any project using these specific curves with a version prior to 46.0.5 is potentially exposed.

In a significant related move, the library's maintainers have officially deprecated support for the vulnerable `SECT*` binary elliptic curves, announcing they will be removed entirely in the next major release. This action signals a decisive shift away from a legacy and problematic cryptographic feature. The patch is now available, and developers are urged to update their dependencies from cryptography 45.0.6 to 46.0.5 or later to mitigate the risk, even if their immediate use of binary curves is uncertain.