CVE-2026-27459

Published: March 19, 2026Last modified: March 27, 2026

Description

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.

Severity score breakdown

Parameter	Value
Base score	9.8
Attack Vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity impact	HIGH
Availability impact	HIGH
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Status

Product	Release	Package	Status
Alpaquita Linux	25 LTS	py3-openssl	Fixed (25.0.0-r1)
Alpaquita Linux	Stream	py3-openssl	Fixed (26.0.0-r0)

References

https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst
https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408
https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4