{"id":"PYSEC-2026-1595","summary":"m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657","details":"A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.","aliases":["CVE-2023-50781","GHSA-944j-8ch6-rf6x"],"modified":"2026-07-07T17:46:56.992235943Z","published":"2026-07-07T11:45:31.910766Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50781"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2023-50781"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2254426"},{"type":"PACKAGE","url":"https://gitlab.com/m2crypto/m2crypto"},{"type":"WEB","url":"https://gitlab.com/m2crypto/m2crypto/-/issues/342"},{"type":"PACKAGE","url":"https://pypi.org/project/m2crypto"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-944j-8ch6-rf6x"}],"affected":[{"package":{"name":"m2crypto","ecosystem":"PyPI","purl":"pkg:pypi/m2crypto"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.40.1"}]}],"versions":["0.11","0.13","0.15","0.16","0.17","0.18","0.18.1","0.18.2","0.19","0.19.1","0.20","0.20.1","0.20.2","0.20beta1","0.21","0.21.1","0.22.3","0.22.4","0.22.5","0.23.0","0.24.0","0.25.0","0.25.1","0.26.0","0.26.2","0.26.3","0.26.4","0.27.0","0.28.0","0.28.1","0.28.2","0.29.0","0.30.0","0.30.1","0.31.0","0.32.0","0.33.0","0.34.0","0.35.0","0.35.1","0.35.2","0.36.0","0.37.0","0.37.1","0.38.0","0.39.0","0.40.0","0.40.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/m2crypto/PYSEC-2026-1595.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}