CVE-2026-32877

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-32877 NameCVE-2026-32877 DescriptionBotan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially…

CVE-2026-32877

Name	CVE-2026-32877
Description	Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
botan (PTS)	bullseye	2.17.3+dfsg-2	vulnerable
	bookworm	2.19.3+dfsg-1+deb12u1	vulnerable
	trixie	2.19.5+dfsg-4	vulnerable
botan3 (PTS)	trixie	3.7.1+dfsg-2	vulnerable
	forky, sid	3.12.0+dfsg-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
botan	source	(unstable)	(unfixed)
botan3	source	experimental	3.11.0+dfsg-1
botan3	source	(unstable)	3.11.0+dfsg-2

Notes

https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6
https://github.com/randombit/botan/commit/f3c31f96f58f1d1d482032d8f4286dc9ebbc6712 (3.11.0)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6https://github.com/randombit/botan/commit/f3c31f96f58f1d1d482032d8f4286dc9ebbc6712 (3.11.0)

OS impact

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Affected	—
sid	Fixed	`3.11.0+dfsg-2`
forky	Fixed	`3.11.0+dfsg-2`
bullseye	Affected	—
bookworm	Affected	—

References

https://security-tracker.debian.org/tracker/CVE-2026-32877

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.