Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-33936
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-27 Mar, 2026 | 23:17
Updated At-01 Apr, 2026 | 13:23

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CPE Matches
tlsfuzzer
tlsfuzzer
>>ecdsa>>Versions before 0.19.2(exclusive)
cpe:2.3:a:tlsfuzzer:ecdsa:*:*:*:*:*:python:*:*
Weaknesses
CWE IDTypeSource
CWE-20Primarysecurity-advisories@github.com
CWE-130Primarysecurity-advisories@github.com
CWE ID: CWE-20
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-130
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3security-advisories@github.com
Patch
https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2security-advisories@github.com
Product
Release Notes
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28gsecurity-advisories@github.com
Exploit
Mitigation
Vendor Advisory
Hyperlink: https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2
Source: security-advisories@github.com
Resource:
Product
Release Notes
Hyperlink: https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g
Source: security-advisories@github.com
Resource:
Exploit
Mitigation
Vendor Advisory
Change History
0Changes found
Details not found