English
EN
Français
FR
Language
English
EN
Français
FR

CVE Vulnerabilities

Posts & Pages

No results found for ""

Try different keywords or check spelling

Search in CVE database, posts & pages • Press ESC to close

RHSA-2026:2694 Important

RHSA-2026:2694: cryptography: cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

Red Hat Released: February 12, 2026 Updated: February 13, 2026 Restart Required
Official Page

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.

Fixed Vulnerabilities 2

CVE-2026-25639 N/A 0.0 ⚠️ KEV fixed
Feb 09, 2026

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with…

CVE-2026-26007 N/A 0.0 ⚠️ KEV fixed
Feb 10, 2026

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key()…

Quick Info

Patch ID: RHSA-2026:2694
Vendor: Red Hat
Severity: Important
CVEs Fixed: 2
Restart: Required

Vendor

Red Hat

Additional Info

cwe: CWE-354
type: Security Advisory
rhsa id: RHSA-2026:2694
cvss score: 7.4
mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
cvss vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
rhsa number: 2026:2694

Share