VIR Vulnerability Intelligence Relay

CVE-2026-32877

unknown
Published — · Modified —
CVSS v3
VIR risk

Description

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-32877 NameCVE-2026-32877 DescriptionBotan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially…

CVE-2026-32877

NameCVE-2026-32877
DescriptionBotan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
botan (PTS)bullseye2.17.3+dfsg-2vulnerable
bookworm2.19.3+dfsg-1+deb12u1vulnerable
trixie2.19.5+dfsg-4vulnerable
botan3 (PTS)trixie3.7.1+dfsg-2vulnerable
forky, sid3.12.0+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
botansource(unstable)(unfixed)
botan3sourceexperimental3.11.0+dfsg-1
botan3source(unstable)3.11.0+dfsg-2

Notes

https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6
https://github.com/randombit/botan/commit/f3c31f96f58f1d1d482032d8f4286dc9ebbc6712 (3.11.0)

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6https://github.com/randombit/botan/commit/f3c31f96f58f1d1d482032d8f4286dc9ebbc6712 (3.11.0)

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianbullseyeaffected
debian debiantrixieaffected
debian debianforkyfixed3.11.0+dfsg-2
debian debiansidfixed3.11.0+dfsg-2

References

💬 Discuss CVE-2026-32877 on VIR Community →

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.