CVE-2026-27459 is a buffer overflow vulnerability in the pyOpenSSL library, a Python wrapper around OpenSSL. The vulnerability arises from improper validation of the size of cookie values returned by user-defined callbacks registered via set_cookie_generate_callback. Specifically, if the callback returns a cookie value larger than 256 bytes, pyOpenSSL copies this data into an OpenSSL buffer without checking the size, leading to a classic buffer overflow (CWE-120). This can corrupt memory, potentially allowing attackers to execute arbitrary code or cause application crashes. The flaw affects pyOpenSSL versions from 22.0.0 up to but excluding 26.0.0. The vulnerability does not require authentication or user interaction but has a high attack complexity, meaning exploitation is possible but may require specific conditions or knowledge. The issue was addressed in version 26.0.0 by rejecting cookie values that exceed the 256-byte limit, preventing the overflow. Although no exploits have been reported in the wild, the vulnerability poses a significant risk to applications relying on pyOpenSSL for TLS/SSL operations, especially those that implement custom cookie generation logic. The CVSS 4.0 base score is 7.2, reflecting high severity due to the potential impact on confidentiality, integrity, and availability of affected systems.

The vulnerability could allow remote attackers to cause memory corruption in applications using vulnerable pyOpenSSL versions, potentially leading to remote code execution or denial of service. This can compromise the confidentiality, integrity, and availability of systems relying on pyOpenSSL for secure communications. Exploitation could enable attackers to bypass security controls, execute arbitrary code with the privileges of the affected application, or crash services, resulting in downtime. Organizations running Python applications that handle TLS/SSL connections and use custom cookie generation callbacks are at particular risk. The high attack complexity reduces the likelihood of widespread automated exploitation, but targeted attacks against critical infrastructure or sensitive applications remain a concern. The absence of known exploits in the wild provides some temporary relief, but the vulnerability should be treated as urgent due to the potential severity of impact.

1. Upgrade pyOpenSSL to version 26.0.0 or later, where the vulnerability is fixed by rejecting cookie values exceeding 256 bytes. 2. Review and audit any custom cookie generation callbacks used with set_cookie_generate_callback to ensure they do not produce excessively large cookie values. 3. Implement input validation and size checks on cookie values before they are returned by callbacks to prevent buffer overflow conditions. 4. Employ runtime protections such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate exploitation impact. 5. Monitor application logs and network traffic for unusual behavior or crashes that could indicate attempted exploitation. 6. Conduct code reviews and penetration testing focusing on TLS/SSL handling and custom callback implementations. 7. If immediate upgrade is not possible, consider disabling or restricting the use of set_cookie_generate_callback functionality temporarily to reduce exposure.