CVE-2026-33936
Received Received - Intake
IndexError in ecdsa Package DER Parsing Causes DoS Crash

Publication date: 2026-03-27

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33936
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tlsfuzzer ecdsa to 0.19.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the `ecdsa` PyPI package, which is a pure Python implementation of Elliptic Curve Cryptography (ECC). Prior to version 0.19.2, the package's low-level DER parsing functions improperly handle truncated DER inputs. Specifically, the function `ecdsa.der.remove_octet_string()` accepts DER-encoded OCTET STRINGs that declare a length larger than the actual available data, allowing malformed inputs to be parsed instead of rejected.

As a result, when a crafted DER input is processed by `SigningKey.from_der()`, it can raise an internal exception (`IndexError: index out of bounds on dimension 1`) instead of cleanly rejecting the malformed data with expected exceptions like `UnexpectedDER` or `ValueError`. This means applications parsing untrusted DER private keys may crash if they do not properly handle these unexpected exceptions.

Compliance Impact

This vulnerability can cause denial of service in applications that parse untrusted DER private keys due to unexpected exceptions. While it does not directly impact confidentiality or integrity, the resulting service disruption could affect availability.

Compliance with standards such as GDPR or HIPAA often requires maintaining availability and reliability of systems processing sensitive data. Therefore, this vulnerability could indirectly affect compliance by causing service outages or interruptions.

However, there is no direct indication from the provided information that this vulnerability leads to data breaches or unauthorized access, which are primary concerns in these regulations.

Impact Analysis

The primary impact of this vulnerability is a potential denial of service (DoS). Applications that use the vulnerable `ecdsa` package to parse DER-encoded private keys from untrusted sources may crash unexpectedly due to unhandled internal exceptions caused by malformed inputs.

This can disrupt normal operations of software relying on this package for cryptographic key handling, potentially leading to service outages or interruptions.

Mitigation Strategies

To mitigate this vulnerability, upgrade the `ecdsa` PyPI package to version 0.19.2 or later, where the issue with DER parsing is patched.

Additionally, ensure that applications parsing untrusted DER private keys handle unexpected exceptions properly to avoid denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33936. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart