{"id":"CVE-2023-49083","summary":"cryptography vulnerable to NULL-dereference when loading PKCS7 certificates","details":"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.","aliases":["GHSA-jfhm-5ghh-2f97","PYSEC-2023-254"],"modified":"2026-04-19T04:15:33.623443Z","published":"2023-11-29T18:50:24.263Z","related":["ALSA-2024:2337","ALSA-2024:3105","ALSA-2025:14553","ALSA-2025:15874","CGA-gqhv-c89v-84pg","SUSE-SU-2023:4842-1","SUSE-SU-2023:4843-1","SUSE-SU-2023:4844-1","SUSE-SU-2023:4921-1","SUSE-SU-2024:2375-1","openSUSE-SU-2024:13472-1"],"database_specific":{"cwe_ids":["CWE-476"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/49xxx/CVE-2023-49083.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/49xxx/CVE-2023-49083.json"},{"type":"ADVISORY","url":"https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49083"},{"type":"FIX","url":"https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a"},{"type":"FIX","url":"https://github.com/pyca/cryptography/pull/9926"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pyca/cryptography","events":[{"introduced":"ba2c0e5e3e4fb242b80474d2ff7368c91e7ebeaf"},{"fixed":"f09c261ca10a31fe41b1262306db7f8f1da0e48a"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:*","extracted_events":[{"introduced":"3.1"},{"fixed":"41.0.6"}]}}],"versions":["3.1","3.2","3.3","3.4","35.0.0","36.0.0","37.0.0","38.0.0","39.0.0","40.0.0","41.0.0","41.0.1","41.0.2","41.0.3","41.0.4","41.0.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-49083.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}