Botan: Quadratic complexity decoding BER indefinite length encodings_CVE-2026-44378

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0.

Basic Information

ID CVE-2026-44378

Source GitHub_M

Published May 27, 2026 at 16:34

Affected Product

Vendor randombit

Product botan

Version < 3.12.0

Affected Versions randombit botan < 3.12.0

CWE Classification

CWE-407

References

github.com /randombit/botan/security/advisories/GHSA-7q2v-3g27-6g3j

{
    "lastseen": "",
    "description": "Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0.",
    "published": "2026-05-27T16:34:33.635Z",
    "modified": "2026-05-27T16:34:33.635Z",
    "type": "cve",
    "title": "Botan: Quadratic complexity decoding BER indefinite length encodings",
    "source": "GitHub_M",
    "references": "https://github.com/randombit/botan/security/advisories/GHSA-7q2v-3g27-6g3j",
    "id": "CVE-2026-44378",
    "bulletinFamily": "",
    "cwe": [
        "CWE-407"
    ],
    "cvelist": null,
    "sourceData": "randombit botan < 3.12.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "botan",
    "version": "< 3.12.0",
    "vendor": "randombit",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}