CVE-2026-26007 – This vulnerability in the Python cryptography p... (How to Fix)

📋 TL;DR

This vulnerability in the Python cryptography package allows attackers to provide specially crafted public keys from small-order subgroups, bypassing validation. When exploited, it can leak private key information during ECDH key exchange or enable signature forgery in ECDSA. Only users of affected cryptography versions implementing ECDH or ECDSA with SECT curves are impacted.

💻 Affected Systems

Products:

Python cryptography package

Versions: All versions before 46.0.5

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects SECT curves (SECP256K1, SECP384R1, SECP521R1) when using ECDH or ECDSA. Other curves and algorithms are not impacted.

📦 What is this software?

Cryptography by Cryptography.io

View all CVEs affecting Cryptography →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete private key compromise through repeated ECDH operations, enabling impersonation, data decryption, and signature forgery.

🟠

Likely Case

Partial private key leakage (least significant bits) during ECDH key exchange, weakening cryptographic security.

🟢

If Mitigated

No impact if systems are patched or don't use affected SECT curves for ECDH/ECDSA operations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the attacker to provide a malicious public key, which could be done through various protocols using ECDH/ECDSA.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 46.0.5

Vendor Advisory: https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2

Restart Required: No

Instructions:

1. Update cryptography package: pip install --upgrade cryptography==46.0.5
2. Verify installation: pip show cryptography
3. Restart any Python applications using cryptography.

🔧 Temporary Workarounds

Avoid SECT curves

all

Temporarily switch to non-SECT curves (like NIST P-256, P-384, P-521) for ECDH/ECDSA operations

🧯 If You Can't Patch

Implement additional validation of public keys before use in cryptographic operations
Monitor for unusual cryptographic operations or failed key validations

🔍 How to Verify

Check if Vulnerable:

Check cryptography version: python -c "import cryptography; print(cryptography.__version__)"

Check Version:

python -c "import cryptography; print(cryptography.__version__)"

Verify Fix Applied:

Verify version is 46.0.5 or higher: python -c "import cryptography; print(cryptography.__version__ >= '46.0.5')"

📡 Detection & Monitoring

Log Indicators:

Failed cryptographic operations
Unusual key validation errors
Multiple failed ECDH handshakes

Network Indicators:

Repeated failed TLS/SSL handshakes using ECDHE
Unusual public key sizes or formats

SIEM Query:

Search for cryptography package version <46.0.5 in system inventory logs

📊 Metadata

CVE ID: CVE-2026-26007

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-345

EPSS Score: 0.01% exploit probability (0.3th percentile)

Published: February 10, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c Patch
https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2 Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/10/4 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26007, you might also want to check these: