CVE-2026-27459

Name	CVE-2026-27459
Description	pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pyopenssl (PTS)	bullseye	20.0.1-1	vulnerable
	bookworm	23.0.0-1	vulnerable
	trixie	25.0.0-1	vulnerable
	forky	25.3.0-2	vulnerable
	sid	26.0.0-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
pyopenssl	source	(unstable)	(unfixed)

Notes

https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr4
https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408 (26.0.0)