CVE-2026-32877

CVE-2026-32877

Name

CVE-2026-32877

Description

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6

Type

URI

security-advisories@github.com

https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:botan_project:botan::::::::`	botan	>= 2.3.0	< 3.11.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*

botan

>= 2.3.0

< 3.11.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
botan3	edge-main	3.11.0-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
botan	edge-main	2.19.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
botan	edge-main	2.19.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
botan	edge-main	2.18.1-r4	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
botan	edge-main	2.18.1-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
botan	edge-main	2.17.3-r0	None	possibly vulnerable
botan	edge-main	2.9.0-r0	None	possibly vulnerable
botan	edge-main	2.7.0-r0	None	possibly vulnerable
botan	edge-main	2.6.0-r0	None	possibly vulnerable
botan	edge-main	2.5.0-r0	None	possibly vulnerable
botan	3.21-main	2.19.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
botan	3.21-main	2.19.4-r0	None	possibly vulnerable
botan	3.21-main	2.18.1-r3	None	possibly vulnerable
botan	3.21-main	2.17.3-r0	None	possibly vulnerable
botan	3.21-main	2.9.0-r0	None	possibly vulnerable
botan	3.21-main	2.7.0-r0	None	possibly vulnerable
botan	3.21-main	2.6.0-r0	None	possibly vulnerable
botan	3.21-main	2.5.0-r0	None	possibly vulnerable
botan	3.20-main	2.19.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
botan	3.20-main	2.19.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
botan	3.20-main	2.18.1-r3	None	possibly vulnerable
botan	3.20-main	2.17.3-r0	None	possibly vulnerable
botan	3.20-main	2.9.0-r0	None	possibly vulnerable
botan	3.20-main	2.7.0-r0	None	possibly vulnerable
botan	3.20-main	2.6.0-r0	None	possibly vulnerable
botan	3.20-main	2.5.0-r0	None	possibly vulnerable
botan	3.19-main	2.19.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
botan	3.19-main	2.18.1-r3	None	possibly vulnerable
botan	3.19-main	2.17.3-r0	None	possibly vulnerable
botan	3.19-main	2.9.0-r0	None	possibly vulnerable
botan	3.19-main	2.7.0-r0	None	possibly vulnerable
botan	3.19-main	2.6.0-r0	None	possibly vulnerable
botan	3.19-main	2.5.0-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

botan3

edge-main

3.11.0-r0

Natanael Copa <ncopa@alpinelinux.org>

fixed

References

Match rules

Vulnerable and fixed packages