PyCA cryptography 46.0.7 Patches Critical Buffer Overflow Vulnerability CVE-2026-39892

The PyCA cryptography library has released a critical security update to patch a buffer overflow vulnerability that could be exploited via non-contiguous Python buffers. The flaw, tracked as CVE-2026-39892, was addressed in version 46.0.7, released on April 7, 2026. This vulnerability existed in APIs that accept Python buffers, where passing non-contiguous data structures could lead to a buffer overflow, a classic attack vector for memory corruption and potential remote code execution.

The update was pushed by the cryptography project maintainers and also includes routine maintenance, updating the compiled Windows, macOS, and Linux binary wheels to be built with OpenSSL 3.5.6. The patch is contained in a single commit (622d672e429a7cff836a23c5903683dbec1901f5) that bumps the version from 46.0.6 to 46.0.7. The changelog explicitly labels the fix as a **SECURITY ISSUE**, underscoring its severity and the urgency for downstream users to apply the patch.

This vulnerability places immediate pressure on the vast ecosystem of Python applications and services that depend on the cryptography library for core security functions like encryption, signing, and certificate handling. Any project using affected versions must upgrade to 46.0.7 to mitigate the risk of exploitation. The silent nature of such a flaw means it could be present in systems without obvious symptoms until actively targeted, raising the stakes for prompt deployment of this security patch across development and operations teams.