CVE-2026-33936: CWE-20: Improper Input Validation in tlsfuzzer python-ecdsa
The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue.
AI Analysis
Technical Summary
The python-ecdsa library, a pure Python implementation of elliptic curve cryptography algorithms, had a vulnerability in versions before 0.19.2 related to improper input validation in DER parsing. The function remove_octet_string() accepted truncated DER-encoded OCTET STRINGs where the declared length was larger than the available data, leading to internal exceptions like IndexError during parsing. This improper handling means that malformed DER inputs can cause the SigningKey.from_der() method to raise unexpected exceptions rather than standard parsing errors. This behavior can cause applications that do not anticipate such exceptions to crash, resulting in a denial of service. The vulnerability is tracked as CVE-2026-33936 and has a CVSS 3.1 base score of 5.3 (medium severity). The issue was fixed in python-ecdsa version 0.19.2.
Potential Impact
This vulnerability can cause denial of service in applications that parse untrusted DER private keys using python-ecdsa versions prior to 0.19.2. Specifically, malformed DER inputs can trigger unexpected internal exceptions leading to application crashes if these exceptions are not properly handled. There is no impact on confidentiality or integrity, only availability. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade python-ecdsa to version 0.19.2 or later, where this input validation issue has been fixed. Applications should also ensure they properly handle exceptions from DER parsing functions to avoid crashes from malformed inputs. Patch status is confirmed fixed in version 0.19.2.
CVE-2026-33936: CWE-20: Improper Input Validation in tlsfuzzer python-ecdsa
Description
The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The python-ecdsa library, a pure Python implementation of elliptic curve cryptography algorithms, had a vulnerability in versions before 0.19.2 related to improper input validation in DER parsing. The function remove_octet_string() accepted truncated DER-encoded OCTET STRINGs where the declared length was larger than the available data, leading to internal exceptions like IndexError during parsing. This improper handling means that malformed DER inputs can cause the SigningKey.from_der() method to raise unexpected exceptions rather than standard parsing errors. This behavior can cause applications that do not anticipate such exceptions to crash, resulting in a denial of service. The vulnerability is tracked as CVE-2026-33936 and has a CVSS 3.1 base score of 5.3 (medium severity). The issue was fixed in python-ecdsa version 0.19.2.
Potential Impact
This vulnerability can cause denial of service in applications that parse untrusted DER private keys using python-ecdsa versions prior to 0.19.2. Specifically, malformed DER inputs can trigger unexpected internal exceptions leading to application crashes if these exceptions are not properly handled. There is no impact on confidentiality or integrity, only availability. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade python-ecdsa to version 0.19.2 or later, where this input validation issue has been fixed. Applications should also ensure they properly handle exceptions from DER parsing functions to avoid crashes from malformed inputs. Patch status is confirmed fixed in version 0.19.2.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T19:50:52.103Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c702cd2b68dbd88e2edf86
Added to database: 3/27/2026, 10:21:01 PM
Last enriched: 4/4/2026, 10:47:27 AM
Last updated: 5/13/2026, 6:38:22 AM
Views: 133
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.