CVE-2026-32877
8.2
HIGH
CVSS 3.1
EPSS 0.07%
Description
Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.
How to fix CVE-2026-32877
To remediate CVE-2026-32877, upgrade the affected package to a fixed version below.
- —upgrade to 3.11.0-r0 or later
- —no fix listed
- —no fix listed
Is CVE-2026-32877 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.11.0-r0
- from 0
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |