CVE-2024-26130 – This vulnerability in the Python cryptography p... (How to Fix)

📋 TL;DR

This vulnerability in the Python cryptography package causes a NULL pointer dereference when pkcs12.serialize_key_and_certificates is called with mismatched certificate and private key pairs while using specific encryption settings. This crashes the Python process, leading to denial of service. It affects Python applications using cryptography versions 38.0.0 through 42.0.3.

💻 Affected Systems

Products:

Python cryptography package

Versions: 38.0.0 through 42.0.3

Operating Systems: All platforms running Python

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when calling pkcs12.serialize_key_and_certificates with mismatched certificate/private key AND using encryption_algorithm with hmac_hash set via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)

📦 What is this software?

Cryptography by Cryptography.io

View all CVEs affecting Cryptography →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for applications using vulnerable cryptography functions, potentially disrupting critical services that rely on PKCS12 operations.

🟠

Likely Case

Application crashes when processing malformed or incorrectly configured PKCS12 data, causing service interruptions.

🟢

If Mitigated

Minimal impact with proper input validation and error handling in place; applications would handle the ValueError gracefully after patching.

🌐 Internet-Facing: MEDIUM - Exploitable if applications accept external PKCS12 data, but requires specific conditions and knowledge of internal implementation.

🏢 Internal Only: LOW - Primarily affects internal PKCS12 processing; requires access to trigger the specific function call with malformed parameters.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific function calls with carefully crafted parameters; not trivial but documented in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 42.0.4

Vendor Advisory: https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4

Restart Required: Yes

Instructions:

1. Update cryptography package: pip install cryptography>=42.0.4
2. Restart all Python applications using cryptography
3. Verify no regressions in PKCS12 functionality

🔧 Temporary Workarounds

Input validation wrapper

all

Add validation to ensure certificate public key matches private key before calling serialize_key_and_certificates

# Python code to validate key match before calling vulnerable function
from cryptography.hazmat.primitives.asymmetric import rsa, dsa, ec
# Verify public_key matches private_key.public_key() before proceeding

🧯 If You Can't Patch

Implement strict input validation for all PKCS12 serialization calls
Add exception handling to catch and log crashes, with automatic restart mechanisms

🔍 How to Verify

Check if Vulnerable:

Check cryptography version: pip show cryptography | grep Version
If version is between 38.0.0 and 42.0.3 inclusive, system is vulnerable.

Check Version:

pip show cryptography | grep Version

Verify Fix Applied:

Verify version is 42.0.4 or higher: pip show cryptography | grep Version
Test PKCS12 serialization with mismatched keys to ensure ValueError is raised instead of crash.

📡 Detection & Monitoring

Log Indicators:

Python process crashes with segmentation faults during PKCS12 operations
Error logs showing NULL pointer dereferences in cryptography module

Network Indicators:

Sudden termination of services using cryptography for PKCS12 operations

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "NULL pointer" OR "cryptography crash") AND process="python"

📊 Metadata

CVE ID: CVE-2024-26130

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: February 21, 2024

Last Updated: February 5, 2025

🔗 References

https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 Patch
https://github.com/pyca/cryptography/pull/10423 Issue Tracking,Patch
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4 Vendor Advisory
https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 Patch
https://github.com/pyca/cryptography/pull/10423 Issue Tracking,Patch
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26130, you might also want to check these: