Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0879

NIXPKGS-2026-0879
published on
Permalink CVE-2026-32877
8.2 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 month ago by @mweinelt Activity log
  • Created suggestion 1 month ago
  • @mweinelt ignored
    9 packages
    • botan2
    • botanEsdm
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • chickenPackages_5.chickenEggs.botan
    • haskellPackages.botan-bindings
    • haskellPackages.botan-low
    • python314Packages.botan3
    1 month ago
  • @mweinelt accepted 1 month ago
  • @mweinelt published on GitHub 1 month ago
Botan: Heap Buffer Over-read in SM2 Decryption via Undersized C3 Hash Field

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

Affected products

botan
  • ==>= 2.3.0, < 3.11.0

Matching in nixpkgs

Ignored packages (9)

pkgs.botan2

Cryptographic algorithms library

Package maintainers

https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6