CVE-2026-33936

Name of the Vulnerable Software and Affected Versions ecdsa versions prior to 0.19.2

Description The ecdsa package, a Python implementation of ECC, contains a flaw in its DER parsing functions. Specifically, ecdsa.der.remove octet string() incorrectly accepts truncated DER data where the declared length exceeds the actual buffer size. This can lead to SigningKey.from der() raising an internal IndexError instead of a clean rejection of malformed DER, potentially causing a denial of service when parsing untrusted DER private keys. A crafted DER input can trigger this issue.

Recommendations Upgrade to ecdsa version 0.19.2 or later.