Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
CVE-2026-2681 — python-ckzg exploitability analysis CVE-2026-2681 affects the blst_sha256_bcopy assembly routine in the blst cryptographic library, triggered by passing a zero-length salt parameter to blst_keygen_v5() (or related key generation functions). This causes an out-of-bounds stack write leading to memory corruption and process termination (DoS). python-ckzg bundles blst v0.3.16 (via the c-kzg-4844 library), which predates the fix for this CVE. However, the vulnerable codepath is not reachable through python-ckzg: - c-kzg-4844 uses blst exclusively for BLS12-381 curve operations (point multiplication, pairing, etc.) and blst_sha256() hashing for polynomial commitment verification. - c-kzg-4844 does not call blst_keygen_v5(), blst_keygen_v4_5(), blst_keygen_v3(), or any other blst key generation functions: $ grep -R blst_keygen_ src/ $ (no output) - The Python bindings themselves are a thin FFI wrapper around the C core and contain no direct blst calls either: $ grep -R blst_ bindings/python/ $ (no output) The vulnerable functions are present in the statically linked blst library but are effectively dead code in the context of c-kzg-4844. There is no API path through python-ckzg that could reach blst_keygen_v5() with any parameters, let alone the zero-length salt required to trigger the flaw. Conclusion: python-ckzg is not exploitable via CVE-2026-2681. The bundled blst will be updated to a fixed version when upstream c-kzg-4844 cuts a new release (the fix is already on their main branch: https://github.com/ethereum/c-kzg-4844/commit/5b90e0ba62d4fa5d013b3ac1508c0ab0203b67a4).