cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cryptography | Cryptography.io | 3.1 (including) | 41.0.6 (excluding) |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | RedHat | automation-controller-0:4.5.5-2.el8ap | * |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | RedHat | python3x-cryptography-0:42.0.5-1.el8ap | * |
| Red Hat Ansible Automation Platform 2.4 for RHEL 9 | RedHat | automation-controller-0:4.5.5-2.el9ap | * |
| Red Hat Ansible Automation Platform 2.4 for RHEL 9 | RedHat | python-cryptography-0:42.0.5-1.el9ap | * |
| Red Hat Enterprise Linux 8 | RedHat | python3.11-cryptography-0:37.0.2-6.el8 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | python3.11-cryptography-0:37.0.2-5.el8_8.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | python3.11-cryptography-0:37.0.2-6.el9 | * |
| RHUI 4 for RHEL 8 | RedHat | python-cryptography-0:41.0.6-1.el8ui | * |
| Python-cryptography | Ubuntu | bionic | * |
| Python-cryptography | Ubuntu | devel | * |
| Python-cryptography | Ubuntu | jammy | * |
| Python-cryptography | Ubuntu | lunar | * |
| Python-cryptography | Ubuntu | mantic | * |
| Python-cryptography | Ubuntu | trusty | * |
| Python-cryptography | Ubuntu | xenial | * |