CVE-2026-33936
IndexError in ecdsa Package DER Parsing Causes DoS Crash
Publication date: 2026-03-27
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tlsfuzzer | ecdsa | to 0.19.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-130 | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the `ecdsa` PyPI package, which is a pure Python implementation of Elliptic Curve Cryptography (ECC). Prior to version 0.19.2, the package's low-level DER parsing functions improperly handle truncated DER inputs. Specifically, the function `ecdsa.der.remove_octet_string()` accepts DER-encoded OCTET STRINGs that declare a length larger than the actual available data, allowing malformed inputs to be parsed instead of rejected.
As a result, when a crafted DER input is processed by `SigningKey.from_der()`, it can raise an internal exception (`IndexError: index out of bounds on dimension 1`) instead of cleanly rejecting the malformed data with expected exceptions like `UnexpectedDER` or `ValueError`. This means applications parsing untrusted DER private keys may crash if they do not properly handle these unexpected exceptions.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a potential denial of service (DoS). Applications that use the vulnerable `ecdsa` package to parse DER-encoded private keys from untrusted sources may crash unexpectedly due to unhandled internal exceptions caused by malformed inputs.
This can disrupt normal operations of software relying on this package for cryptographic key handling, potentially leading to service outages or interruptions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the `ecdsa` PyPI package to version 0.19.2 or later, where the issue with DER parsing is patched.
Additionally, ensure that applications parsing untrusted DER private keys handle unexpected exceptions properly to avoid denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can cause denial of service in applications that parse untrusted DER private keys due to unexpected exceptions. While it does not directly impact confidentiality or integrity, the resulting service disruption could affect availability.
Compliance with standards such as GDPR or HIPAA often requires maintaining availability and reliability of systems processing sensitive data. Therefore, this vulnerability could indirectly affect compliance by causing service outages or interruptions.
However, there is no direct indication from the provided information that this vulnerability leads to data breaches or unauthorized access, which are primary concerns in these regulations.