Nixpkgs security tracker

Untriaged

Permalink CVE-2026-32877

8.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): HIGH

created 2 weeks, 5 days ago

Botan: Heap Buffer Over-read in SM2 Decryption via Undersized C3 Hash Field

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

References

https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6 x_refsource_CONFIRM

Affected products

botan

==>= 2.3.0, < 3.11.0

Matching in nixpkgs

pkgs.botan2

Cryptographic algorithms library

pkgs.botan3

Cryptographic algorithms library

nixos-unstable 3.11.0
- nixpkgs-unstable 3.11.0
- nixos-unstable-small 3.11.0
nixos-25.11 3.10.0
- nixos-25.11-small 3.10.0
- nixpkgs-25.11-darwin 3.10.0

pkgs.botanEsdm

Cryptographic algorithms library

nixos-unstable 3.11.0
- nixpkgs-unstable 3.11.0
- nixos-unstable-small 3.11.0
nixos-25.11 3.10.0
- nixos-25.11-small 3.10.0
- nixpkgs-25.11-darwin 3.10.0

pkgs.emiluaPlugins.botan

Securely clears secrets from memory in Emilua

nixos-unstable 1.2.1
- nixpkgs-unstable 1.2.1
- nixos-unstable-small 1.2.1
nixos-25.11 1.2.1
- nixos-25.11-small 1.2.1
- nixpkgs-25.11-darwin 1.2.1

pkgs.python312Packages.botan3

Python Bindings for botan3 cryptography library

nixos-25.11 botan3-3.10.0
- nixos-25.11-small botan3-3.10.0
- nixpkgs-25.11-darwin botan3-3.10.0

pkgs.python313Packages.botan3

Python Bindings for botan3 cryptography library

nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.0
- nixos-unstable-small botan3-3.11.0
nixos-25.11 botan3-3.10.0
- nixos-25.11-small botan3-3.10.0
- nixpkgs-25.11-darwin botan3-3.10.0

pkgs.python314Packages.botan3

Python Bindings for botan3 cryptography library

nixos-unstable botan3-3.11.0
- nixpkgs-unstable botan3-3.11.0
- nixos-unstable-small botan3-3.11.0

pkgs.haskellPackages.botan-low

Low-level Botan bindings

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0
nixos-25.11 0.0.2.0
- nixos-25.11-small 0.0.2.0
- nixpkgs-25.11-darwin 0.0.2.0

pkgs.haskellPackages.botan-bindings

Raw Botan bindings

nixos-unstable 0.2.0.0
- nixpkgs-unstable 0.2.0.0
- nixos-unstable-small 0.2.0.0
nixos-25.11 0.1.0.0
- nixos-25.11-small 0.1.0.0
- nixpkgs-25.11-darwin 0.1.0.0

pkgs.chickenPackages_5.chickenEggs.botan

Bindings to the Botan cryptographic library

Package maintainers

@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@thillux Markus Theil <theil.markus@gmail.com>
@manipuladordedados Valter Nazianzeno <manipuladordedados@gmail.com>
@nikstur nikstur <nikstur@outlook.com>
@mikatammi Mika Tammi <mikatammi@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.botan2

pkgs.botan3

pkgs.botanEsdm

pkgs.emiluaPlugins.botan

pkgs.python312Packages.botan3

pkgs.python313Packages.botan3

pkgs.python314Packages.botan3

pkgs.haskellPackages.botan-low

pkgs.haskellPackages.botan-bindings

pkgs.chickenPackages_5.chickenEggs.botan

Package maintainers