{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-30T20:36:43Z",
  "bugzilla" : {
    "description" : "Botan: Botan: Denial of Service via heap over-read during SM2 decryption",
    "id" : "2453209",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2453209"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-1284",
  "details" : [ "Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.", "A flaw was found in Botan, a C++ cryptography library. During SM2 decryption, the library failed to validate the length of the authentication code value (C3) before comparison. A remote attacker could exploit this by providing a specially crafted invalid ciphertext, leading to a heap over-read of up to 31 bytes. This can result in a denial of service due to a crash or other undefined behavior." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "rust-sequoia-sq",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "rust-sequoia-sqv",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32877\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32877\nhttps://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6" ],
  "name" : "CVE-2026-32877",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}