Bug 2448503 (CVE-2026-27459)

Summary: CVE-2026-27459 pyOpenSSL: DTLS cookie callback buffer overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, anthomas, aprice, bdettelb, caswilli, doconnor, dranck, dschmidt, eborisov, eglynn, ehelms, erezende, ggainey, jdobes, jjoyce, jkoehler, jlanda, jmitchel, jpretori, jsamir, jschluet, juwatts, jwong, kaycoth, kshier, lball, lbrazdil, lhh, lphiri, mburns, mgarciac, mhulan, mminar, ngough, nmoumoul, oezr, omaciel, orabin, osousa, pbohmill, pcreech, rbiba, rchan, simaishi, smallamp, smcdonal, sskracic, stcannon, teagle, tmalecek, tpfromme, ttakamiy, veshanka, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in pyOpenSSL. The set_cookie_generate_callback callback function can be used to generate DTLS cookies. When the callback returns a cookie string or byte sequence longer than 256 bytes, a buffer overflow can be triggered due to a missing bounds checking before copying the data to a fixed-size buffer provided by the underlying OpenSSL library.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2448655, 2448652    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-18 00:02:08 UTC 
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.
Comment 2 errata-xmlrpc 2026-04-27 10:13:29 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2026:10754 https://access.redhat.com/errata/RHSA-2026:10754
Comment 3 errata-xmlrpc 2026-05-04 13:58:53 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 10
  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2026:13508 https://access.redhat.com/errata/RHSA-2026:13508
Comment 4 errata-xmlrpc 2026-05-04 14:16:03 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2026:13512 https://access.redhat.com/errata/RHSA-2026:13512
Comment 5 errata-xmlrpc 2026-05-07 17:26:31 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.17 for RHEL 9

Via RHSA-2026:14873 https://access.redhat.com/errata/RHSA-2026:14873
Comment 6 errata-xmlrpc 2026-05-07 17:56:04 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.16 for RHEL 8
  Red Hat Satellite 6.16 for RHEL 9

Via RHSA-2026:14874 https://access.redhat.com/errata/RHSA-2026:14874