What is the cryptography library in Python?

The cryptography library is a widely used Python package that provides cryptographic recipes and primitives. It allows developers to implement secure communication, data encryption, and authentication in their applications. It supports various cryptographic algorithms and standards.

What is CVE-2023-23931?

CVE-2023-23931 is a memory corruption vulnerability in the cryptography library. It occurs when the `Cipher.update_into` function is used with an immutable Python object as the output buffer, leading to potential data corruption. Upgrading to version 39.0.1 or later resolves this issue.

What is CVE-2026-34073?

CVE-2026-34073 is a DNS name constraint bypass vulnerability in the cryptography library. It allows a peer name to bypass name constraints during certificate validation, potentially leading to security risks. Upgrading to version 46.0.6 or later addresses this vulnerability.

How do I fix the vulnerabilities in the cryptography library?

To fix the vulnerabilities, upgrade your cryptography library to the latest version. Specifically, upgrade to version 39.0.1 or later to address CVE-2023-23931, and upgrade to version 46.0.6 or later to address CVE-2026-34073. This will ensure that you have the necessary security patches.

NextGuard

Back to blog

CVSS 6.5CVE-2023-23931CVE-2026-34073

Cryptography: Memory Corruption and DNS Bypass Vulnerabilities

Two vulnerabilities affect the Python cryptography library: memory corruption (CVE-2023-23931) and DNS name constraint bypass (CVE-2026-34073). Upgrade now!

Published on April 3, 2026

Two new vulnerabilities have been discovered in the Python cryptography library. These include a memory corruption issue that can occur when using `Cipher.update_into` with immutable objects and a DNS name constraint bypass. Patches are available to address these issues, and users are encouraged to upgrade.

One vulnerability is medium severity, and the other is low, based on CVSS scores.

What is Cryptography?

Cryptography is a powerful Python library that provides cryptographic recipes and primitives to Python developers. It includes support for symmetric encryption, key derivation, hashing, message authentication, and digital signatures. Cryptography aims to be easy to use and hard to misuse. For more information, you can search all cryptography CVEs.

CVE-2023-23931: Memory Corruption in Cipher.update_into

CVSS6.5

Affected versionsThis vulnerability affects cryptography versions 39.0.0 and earlier.

Medium severity vulnerability.

EPSS score of 0.804 indicates a low probability of exploitation.

The `Cipher.update_into` function in the cryptography library could corrupt memory when passed an immutable Python object as the output buffer. This allowed for the mutation of immutable objects, violating Python's fundamental rules.

How to fix CVE-2023-23931 in Cryptography

Patch immediately

1.Upgrade to cryptography version 39.0.1 or later.

Workaround: Avoid using `Cipher.update_into` with immutable objects as the output buffer in affected versions.

NextGuard automatically flags CVE-2023-23931 if Cryptography appears in any of your monitored projects — no manual lookup required.

CVE-2026-34073: DNS Name Constraint Bypass

CVSS2.5

Affected versionsThis vulnerability affects cryptography versions 46.0.5 and earlier.

Low severity vulnerability.

EPSS score of 0.023 indicates a very low probability of exploitation.

The cryptography library had an incomplete DNS name constraint enforcement on peer names during certificate validation. This allowed a peer name to bypass name constraints defined in parent certificates.

How to fix CVE-2026-34073 in Cryptography

Patch within 7 days

1.Upgrade to cryptography version 46.0.6 or later.

Workaround: There is no practical workaround besides upgrading. Ensure your X.509 topology is not relying on the faulty validation logic.

NextGuard automatically flags CVE-2026-34073 if Cryptography appears in any of your monitored projects — no manual lookup required.

Stay ahead of Python vulnerabilities

Proactively detect and remediate vulnerabilities in your Python dependencies. monitor your python dependencies to ensure continuous security.

Compare Plans

Frequently asked questions

It is crucial to keep your Python cryptography library up to date to mitigate potential security risks. Regularly see all python vulnerabilities and apply necessary patches to ensure the security of your applications. Stay informed about the latest security advisories to protect your systems.