CVE-2026-44378
Analyzed Analyzed - Analysis Complete
Denial of Service in Botan Cryptography Library

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44378
EUVD
EUVD-2026-32582
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
botan_project botan to 3.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-44378 vulnerability affects the Botan C++ cryptography library versions prior to 3.12.0. It involves a denial-of-service risk caused by the parser's quadratic time complexity when handling certain indefinite length encodings in BER (Basic Encoding Rules) data.

Specifically, Botan accepted indefinite length encodings even in structures that require DER (Distinguished Encoding Rules), which prohibits such encodings. Attackers can exploit this by sending specially crafted ASN.1 encoded data, such as X.509 certificates or OCSP responses, causing the parser to consume excessive CPU resources and degrade performance significantly.

This vulnerability is classified under CWE-407 (Inefficient Algorithmic Complexity) and was fixed in Botan version 3.12.0.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by causing the Botan library to consume excessive CPU resources when parsing maliciously crafted BER indefinite length encodings.

If your system uses Botan for processing ASN.1 encoded data like X.509 certificates or OCSP responses, an attacker could exploit this flaw to degrade system performance or cause service outages by sending specially crafted data.

Detection Guidance

This vulnerability can be detected by monitoring for the presence of specially crafted ASN.1 encoded data, such as X.509 certificates or OCSP responses, that use indefinite length encodings in BER format where DER encoding is expected.

Detection may involve capturing and analyzing network traffic for suspicious ASN.1 BER indefinite length encodings.

Specific commands are not provided in the available resources, but tools like Wireshark or tshark can be used to capture and inspect ASN.1 encoded data.

Mitigation Strategies

The immediate mitigation step is to upgrade the Botan library to version 3.12.0 or later, where this vulnerability has been fixed.

Until the upgrade is applied, avoid processing untrusted ASN.1 BER data that may contain indefinite length encodings, especially in contexts requiring DER encoding.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-44378 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44378. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart