pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to set_cookie_generate_callback returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.
CVE-2026-27459
This critical-severity CVE scores 9.8 under NVD CVSS v3. EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 9.8
- EG Score
- 9.8(low)
- EPSS
- 48.8%
- KEV
- Not listed
Published
March 18, 2026
Last Modified
July 1, 2026
Advisory Details (10)
Auto-updated Jul 3, 2026Buffer overflow if DTLS cookie callback returned too long of a value · Advisory · pyca/pyopenssl · GitHub
https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4commit 57f09bb4bb05 (pyca/pyopenssl)
Fix landed in pyca/pyopenssl commit 57f09bb4bb05 — awaiting tagged release
https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408pyopenssl/CHANGELOG.rst at 358cbf29c4e364c59930e53a270116249581eaa3 · pyca/pyopenssl · GitHub
https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rstVendor Advisories for CVE-2026-27459(18)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2026:24853Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Quay 3.15.5
- RHSA-2026:22465Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Quay 3.17.2
- CVE-2026-27459Microsoft Security Response Center (MSRC)High
pyOpenSSL DTLS cookie callback buffer overflow
- RHSA-2026:21017Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Quay 3.14.8
- RHSA-2026:19375Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Quay 3.16.4
- RHSA-2026:14874Red Hat Product SecurityHigh
Red Hat Security Advisory: Satellite 6.16.8 Async Update
- RHSA-2026:14873Red Hat Product SecurityHigh
Red Hat Security Advisory: Satellite 6.17.8 Async Update
- RHSA-2026:14835Red Hat Product SecurityHigh
Red Hat Security Advisory: Satellite 6.18.5 Async Update
- +10 more
Patch Availability(16)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | quay/quay-rhel8:1780891395 | 2026-06-09 | redhat |
| redhat | quay/quay-rhel9:1779922205 | 2026-06-02 | redhat |
| redhat | quay/quay-rhel8:1779689392 | 2026-05-26 | redhat |
| redhat | quay/quay-rhel9:1779204086 | 2026-05-19 | redhat |
| redhat | python3.12-pyOpenSSL-0:26.0.0-2.el9pc | 2026-05-07 | redhat |
| redhat | python-pyOpenSSL-0:25.1.0-0.3.el9pc | 2026-05-07 | redhat |
| redhat | python-pyOpenSSL-0:24.1.0-2.el9pc | 2026-05-07 | redhat |
| redhat | python3.12-pyOpenSSL-0:26.0.0-1.el9ap | 2026-05-04 | redhat |
| redhat | ansible-automation-platform-25/lightspeed-rhel8:1777403872 | 2026-05-04 | redhat |
| redhat | ansible-automation-platform-26/platform-resource-runner-rhel9:1777390333 | 2026-05-04 | redhat |
| redhat | quay/quay-rhel8:1776782369 | 2026-04-30 | redhat |
| redhat | quay/quay-rhel8:1776736910 | 2026-04-29 | redhat |
| redhat | quay/quay-rhel8:1776752646 | 2026-04-29 | redhat |
| redhat | python-pyOpenSSL-0:24.1.0-2.el8ui | 2026-04-27 | redhat |
| redhat | rhtas/model-transparency-rhel9:1775815407 | 2026-04-16 | redhat |
| redhat | pyopenssl-main-26.0.0-1.1.hum1 | 2026-04-09 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| pyopenssl | 22.0.0 ... 25.3.0 (15 versions) | 26.0.0 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 11× in last 7d / 14× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 04:33 UTCEG score recompute
- 2026-06-30 04:33 UTCVendor advisory
- 2026-06-30 04:31 UTCNVD updatefirst tracked
Frequently asked(5)
What is CVE-2026-27459?
When was CVE-2026-27459 disclosed?
Is CVE-2026-27459 actively exploited?
What is the CVSS score of CVE-2026-27459?
How do I remediate CVE-2026-27459?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-27459
Is Your Infrastructure Affected by CVE-2026-27459?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.