{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33936", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.103Z", "datePublished": "2026-03-27T22:08:22.868Z", "dateUpdated": "2026-04-01T13:44:46.297Z"}, "containers": {"cna": {"title": "python-ecdsa: Denial of Service via improper DER length validation in crafted private keys", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-130", "lang": "en", "description": "CWE-130: Improper Handling of Length Parameter Inconsistency", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g"}, {"name": "https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3", "tags": ["x_refsource_MISC"], "url": "https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3"}, {"name": "https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2"}], "affected": [{"vendor": "tlsfuzzer", "product": "python-ecdsa", "versions": [{"version": "< 0.19.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:08:22.868Z"}, "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue."}], "source": {"advisory": "GHSA-9f5j-8jwj-x28g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T13:44:27.418372Z", "id": "CVE-2026-33936", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:44:46.297Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33936", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T13:44:27.418372Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:44:42.315Z"}}], "cna": {"title": "python-ecdsa: Denial of Service via improper DER length validation in crafted private keys", "source": {"advisory": "GHSA-9f5j-8jwj-x28g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "tlsfuzzer", "product": "python-ecdsa", "versions": [{"status": "affected", "version": "< 0.19.2"}]}], "references": [{"url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g", "name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3", "name": "https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2", "name": "https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-130", "description": "CWE-130: Improper Handling of Length Parameter Inconsistency"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T22:08:22.868Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33936", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:44:46.297Z", "dateReserved": "2026-03-24T19:50:52.103Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T22:08:22.868Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*", "matchCriteriaId": "E96A1566-0D57-48AB-A82C-2C5101EB5318", "versionEndExcluding": "0.19.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue."}], "id": "CVE-2026-33936", "lastModified": "2026-04-01T13:23:21.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T23:17:13.733", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-130"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "python-ecdsa: ecdsa: Denial of Service via crafted DER input", "id": "2452539", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452539"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-130", "details": ["The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue.", "A flaw was found in the `ecdsa` Python package, which is used for cryptographic operations. A remote attacker can exploit this vulnerability by sending a specially crafted data input, known as Distinguished Encoding Rules (DER). This malformed input can cause applications that process untrusted cryptographic keys to crash, leading to a denial of service."], "name": "CVE-2026-33936", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Out of support scope", "package_name": "python-ecdsa", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "python-ecdsa", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite-capsule:el8/python-ecdsa", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Out of support scope", "package_name": "python-ecdsa", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2026-03-27T22:08:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33936\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33936\nhttps://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3\nhttps://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2\nhttps://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.19.2)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 81.0, "source": "matching"}]}, "original": {"product": "python-ecdsa", "source": "cna", "vendor": "tlsfuzzer"}, "product": "ecdsa", "vendor": "tlsfuzzer"}], "analysis": {"en": {"generated_at": "2026-04-02T04:09:20.955382+00:00", "value": {"mitigation_remediation": ["Upgrade python-ecdsa to version 0.19.2 or newer.", "Ensure that any code parsing DER private keys includes comprehensive exception handling to capture unexpected IndexError, not just specific ExpectedDER or ValueError exclusions.", "Perform strict length validation of incoming DER data before passing it to the ecdsa library."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The python-ecdsa library provided by tlsfuzzer is affected. Versions prior to 0.19.2 are vulnerable. Any application that imports python-ecdsa and processes user-supplied DER private keys is subject to the flaw.", "description_and_impact": "The vulnerability is an improper length validation in the ecdsa package\u2019s DER parser. When a private key is encoded with an OCTET STRING length that exceeds the supplied data, the parser accepts the truncated input instead of rejecting it. This causes SigningKey.from_der() to raise an internal IndexError exception, which applications that do not handle unexpected exceptions will not recover from, leading to a crash and a denial of service. The weakness is a failure to perform proper bounds checking (CWE\u2011130) and an improper input validation flaw (CWE\u201120).", "risk_and_exploitability": "Risk is moderate, with a CVSS score of 5.3 and an EPSS score below 1%, and the flaw is not listed in KEV. The issue can be exploited by supplying a malformed DER private key; no authentication is required beyond the ability to provide that data to an application that uses python-ecdsa. The attack vector is likely remote if the application exposes an API that accepts DER keys, or local if any user can trigger the parsing. An attacker can cause an application to crash, resulting in denial of service if the host does not recover."}}}}, "created": "2026-03-29T20:29:29.771541+00:00", "updated": "2026-04-02T07:55:17.136689+00:00", "vendors": ["tlsfuzzer", "tlsfuzzer$PRODUCT$ecdsa"]}