CVE-2026-33936

Exploit

EPSS 0.48%
Veröffentlicht 27.03.2026 22:08:22
Zuletzt bearbeitet 01.04.2026 13:23:21
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

python-ecdsa: Denial of Service via improper DER length validation in crafted private keys

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tlsfuzzer ≫ Ecdsa SwPlatformpython Version < 0.19.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.48%	0.373

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-130 Improper Handling of Length Parameter Inconsistency

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g

Vendor Advisory

Exploit

Mitigation

https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3

Patch

https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-33936

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33936

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33936

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33936