SecuriTricks - CVE-2026-27459

Description

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.

Product(s) Impacted

Vendor	Product	Versions
Pyopenssl	Pyopenssl	22.0.0-26.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	pyopenssl	pyopenssl	22.0.0-26.0.0	/	/	/	/	/	/	/

References

https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst

https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408

https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4

CVSS Score

7.2 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: HIGH
Attack Requirements: PRESENT
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH
Exploit Maturity: UNREPORTED

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: March 18, 2026, 12:16 a.m.
Last Modified: March 18, 2026, 2:52 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-27459