2456187 – (CVE-2026-39373) CVE-2026-39373 JWCrypto: python-cryptography: python: JWCrypto: Memory exhaustion via crafted compressed JWE tokens

Bug 2456187 (CVE-2026-39373) - CVE-2026-39373 JWCrypto: python-cryptography: python: JWCrypto: Memory exhaustion via crafted compressed JWE tokens

Summary: CVE-2026-39373 JWCrypto: python-cryptography: python: JWCrypto: Memory exhaus...

Keywords:
Status:	NEW
Alias:	CVE-2026-39373
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2456512
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-07 20:03 UTC by OSIDB Bzimport
Modified:	2026-04-08 15:27 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-07 20:03:04 UTC

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to 1.5.7, an unauthenticated attacker can exhaust server memory by sending crafted JWE tokens with ZIP compression. The existing patch for CVE-2024-28102  limits input token size to 250KB but does not validate the decompressed output size. An unauthenticated attacker can cause memory exhaustion on memory-constrained systems. A token under the 250KB input limit can decompress to approximately 100MB. This vulnerability is fixed in 1.5.7.

Comment 2 Simo Sorce 2026-04-08 15:27:44 UTC

The severity of this bug is wrong, it should be low.

No attacker can cause unlimited memory exhaustion, the bug only highlighted that the amount of memory used culd not be finely controlled, but the previous fix did absolutely allow to limit memory use. This is a very low priority issue.

Note You need to log in before you can comment on or make changes to this bug.