Python Cryptography Library Patches Two Security Flaws Including Buffer Overflow CVE-2026-39892

A critical security update for the widely-used Python cryptography library has addressed two vulnerabilities, including a buffer overflow issue that could allow attackers to exploit non-contiguous memory buffers. The update, which bumps the library from version 46.0.1 to 46.0.7, includes patches for CVE-2026-39892 and CVE-2026-34073, both classified as security issues requiring immediate attention from developers and infrastructure teams.

The more severe of the two, CVE-2026-39892, involves a buffer overflow condition triggered when non-contiguous buffers are passed to APIs that accept Python buffers. This type of vulnerability could potentially be exploited to corrupt memory or execute arbitrary code, depending on the attack surface and how applications use the affected APIs. The second vulnerability, CVE-2026-34073, addresses a certificate verification bypass where name constraints were not properly applied to peer names when the leaf certificate contained a wildcard DNS Subject Alternative Name (SAN). Security researcher Oleh Konko, operating under the handle 1seal, was credited with discovering and reporting the certificate verification flaw. The maintainers noted that ordinary X.509 topologies, including those used in the Web PKI, were not affected by this bug.

The cryptography library is a foundational dependency for countless Python applications handling encryption, certificate verification, and secure communications. Organizations running affected versions should prioritize updating to 46.0.7 or later. The release also includes updates to the underlying OpenSSL library, now compiled at version 3.5.6 for Windows, macOS, and Linux wheels. Given the nature of the vulnerabilities and the library's role in security-critical operations, the update warrants immediate attention from security teams and maintainers of Python-based infrastructure.