CVE-2026-44378
Denial of Service in Botan Cryptography Library
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| botan | botan | to 3.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-44378 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The CVE-2026-44378 vulnerability affects the Botan C++ cryptography library versions prior to 3.12.0. It involves a denial-of-service risk caused by the parser's quadratic time complexity when handling certain indefinite length encodings in BER (Basic Encoding Rules) data.
Specifically, Botan accepted indefinite length encodings even in structures that require DER (Distinguished Encoding Rules), which prohibits such encodings. Attackers can exploit this by sending specially crafted ASN.1 encoded data, such as X.509 certificates or OCSP responses, causing the parser to consume excessive CPU resources and degrade performance significantly.
This vulnerability is classified under CWE-407 (Inefficient Algorithmic Complexity) and was fixed in Botan version 3.12.0.
How can this vulnerability impact me? :
This vulnerability can lead to a denial-of-service (DoS) condition by causing the Botan library to consume excessive CPU resources when parsing maliciously crafted BER indefinite length encodings.
If your system uses Botan for processing ASN.1 encoded data like X.509 certificates or OCSP responses, an attacker could exploit this flaw to degrade system performance or cause service outages by sending specially crafted data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the presence of specially crafted ASN.1 encoded data, such as X.509 certificates or OCSP responses, that use indefinite length encodings in BER format where DER encoding is expected.
Detection may involve capturing and analyzing network traffic for suspicious ASN.1 BER indefinite length encodings.
Specific commands are not provided in the available resources, but tools like Wireshark or tshark can be used to capture and inspect ASN.1 encoded data.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Botan library to version 3.12.0 or later, where this vulnerability has been fixed.
Until the upgrade is applied, avoid processing untrusted ASN.1 BER data that may contain indefinite length encodings, especially in contexts requiring DER encoding.