Bug 2448508 (CVE-2026-27448) - CVE-2026-27448 pyOpenSSL: TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback
Summary: CVE-2026-27448 pyOpenSSL: TLS connection bypass via unhandled callback except...
Keywords:
Status: NEW
Alias: CVE-2026-27448
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-18 00:02 UTC by OSIDB Bzimport
Modified: 2026-03-18 16:25 UTC (History)
52 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-18 00:02:29 UTC 
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.
Note You need to log in before you can comment on or make changes to this bug.