CVE-2024-26130

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions cryptography versions 38.0.0 through 42.0.3

Description The issue is related to the pkcs12.serialize key and certificates function in the cryptography package for Python. If this function is called with a certificate whose public key does not match the provided private key and an encryption algorithm with hmac hash set, a NULL pointer dereference occurs, crashing the Python process. This issue has been resolved by properly raising a ValueError in the fixed version.

Recommendations For cryptography versions 38.0.0 through 42.0.3, update to version 42.0.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of pkcs12.serialize key and certificates with mismatched public and private keys and hmac hash set until the update is applied.

Exploit

Fix

DoS

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

ALSA-2025:15608

ALSA-2025_15608

ALT-PU-2024-2757

ALT-PU-2025-4222

BDU:2024-03237

CVE-2024-26130

GHSA-6VQW-3V5J-54X4

INFSA-2025_15608

MGASA-2025-0069

OPENSUSE-SU-2024:13710-1

OPENSUSE-SU-2024_0763-1

OPENSUSE-SU-2024_2138-1

PYSEC-2024-225

RHSA-2024:3781

RHSA-2024:7987

RHSA-2025:1335

RHSA-2025:15608

RHSA-2025_15608

SUSE-SU-2024:0763-1

SUSE-SU-2024:2138-1

USN-6673-1

USN-6673-3

Affected Products

Alt Linux

Almalinux

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Cryptography

CVE-2024-26130

Weakness Enumeration

Related Identifiers

Affected Products

References · 52