CVE-2026-39892: Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs

April 8, 2026 (updated April 9, 2026)

If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. For example:

h = Hash(SHA256())
b.update(buf[::-1])

would read past the end of the buffer on Python >3.11

References

github.com/advisories/GHSA-p423-j2cm-9vmq
github.com/pyca/cryptography
github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq
nvd.nist.gov/vuln/detail/CVE-2026-39892

Code Behaviors & Features

Detect and mitigate CVE-2026-39892 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →