VDB
CVE-2026-44378
CVE-2026-44378
PUBLISHED
CVSS 6.9 MEDIUM
Reported by GitHub_M · Published May 27, 2026
Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0.
Risk Scores
CVSS v4.0
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| randombit | botan | < 3.12.0 |
| randombit | botan | < 3.12.0 |
| alpine | botan3 | 0 |
Timeline
- May 27, 2026 CVE Published
- May 27, 2026 CVE Updated
- May 28, 2026 EPSS Score
- May 29, 2026 EPSS Score
- May 29, 2026 Security Advisory
- May 30, 2026 EPSS Score
- May 31, 2026 EPSS Score
- Jun 1, 2026 EPSS Score
- Jun 8, 2026 Coalition ESS Score
References
- https://github.com/randombit/botan/security/advisories/GHSA-7q2v-3g27-6g3j x_refsource_CONFIRM