CVE-2026-26007 in cryptography
Summary
by MITRE • 02/11/2026
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/15/2026
The vulnerability described in CVE-2026-26007 affects the cryptography package for Python developers, specifically targeting elliptic curve cryptographic operations. This issue represents a critical flaw in the validation of public key points during cryptographic key processing, where the affected functions fail to verify that provided points belong to the expected prime-order subgroup of the elliptic curve. The problem impacts several key functions including public_key_from_numbers, EllipticCurvePublicNumbers.public_key(), load_der_public_key(), and load_pem_public_key(), all of which are commonly used in cryptographic implementations. The vulnerability stems from insufficient validation of elliptic curve points, creating a scenario where attackers can exploit weak public key points from small-order subgroups.
The technical flaw manifests when cryptographic operations process public key points that do not conform to the expected mathematical constraints of the curve's prime-order subgroup. In elliptic curve cryptography, particularly for curves with cofactor greater than one, this validation failure creates a significant security risk. When victims perform ECDH key exchanges using these malformed public keys, the shared secret computation S = [victim_private_key]P inadvertently leaks information about the victim's private key modulo the small subgroup order. This leakage occurs because the mathematical relationship between the private key and the compromised public key point creates predictable patterns that can be exploited. The vulnerability specifically affects SECT curves, which are a class of elliptic curves defined over binary fields, making them particularly susceptible to this type of subgroup attack.
The operational impact of this vulnerability extends to both ECDSA signature verification and ECDH key negotiation protocols, which are fundamental components of many cryptographic systems. In ECDH implementations, the leakage of private key information through small subgroup attacks can result in the exposure of the least significant bits of the private key, particularly for curves with cofactors greater than one. This partial exposure significantly weakens the security of the cryptographic system, as it reduces the entropy of the private key and makes cryptanalysis more tractable. For ECDSA signature forgery, the vulnerability allows attackers to create valid signatures for messages that would normally require the private key, effectively bypassing the security guarantees of the digital signature algorithm. The attack vector is particularly insidious because it can be executed without direct access to the private key, relying instead on the manipulation of public key parameters.
This vulnerability aligns with CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-328 (Use of Weak Hash Algorithm) categories, while also mapping to ATT&CK technique T1552.004 (Credentials from Password Stores) in scenarios where the leaked private key information could be used to compromise additional cryptographic assets. The fix implemented in version 46.0.5 addresses the core validation issue by ensuring that public key points are properly verified against the expected prime-order subgroup before cryptographic operations proceed. Organizations should immediately upgrade to version 46.0.5 or later to mitigate this risk, while also reviewing their cryptographic implementations to ensure proper validation of all public key parameters. Additionally, systems using affected versions should consider implementing monitoring for suspicious cryptographic operations that might indicate exploitation attempts, particularly in environments where ECDH key exchanges or ECDSA signature operations are frequently performed with external inputs. The vulnerability demonstrates the critical importance of proper cryptographic validation and the potential for seemingly minor implementation flaws to create significant security weaknesses in cryptographic protocols.