{"id":"CVE-2024-26130","summary":"cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override","details":"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.","aliases":["GHSA-6vqw-3v5j-54x4","PYSEC-2024-225"],"modified":"2026-04-16T04:36:58.770063695Z","published":"2024-02-21T16:28:18.632Z","related":["ALSA-2025:15608","CGA-83rw-66j6-76m3","SUSE-SU-2024:0763-1","SUSE-SU-2024:2138-1","openSUSE-SU-2024:13710-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26130.json","cwe_ids":["CWE-476"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26130.json"},{"type":"ADVISORY","url":"https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26130"},{"type":"FIX","url":"https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55"},{"type":"FIX","url":"https://github.com/pyca/cryptography/pull/10423"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pyca/cryptography","events":[{"introduced":"52d6f1a491f6ade379ace124b843ffba9fb4ab4f"},{"fixed":"fe18470f7d05f963e7267e34fdf985d81ea6ceea"}]}],"versions":["38.0.0","39.0.0","40.0.0","41.0.0","42.0.0","42.0.1","42.0.2","42.0.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26130.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}