8.2

CVE-2026-32877

EPSS 0.07%
Veröffentlicht 30.03.2026 20:36:43
Zuletzt bearbeitet 13.04.2026 13:57:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Botan: Heap Buffer Over-read in SM2 Decryption via Undersized C3 Hash Field

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Botan Project ≫ Botan Version >= 2.3.0 < 3.11.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.199

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-32877

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32877

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32877

EUVD