CVE-2026-44378

7.5 HIGH

Botan is a C++ cryptography library

Published: 2026-05-27 · Last updated: 2026-06-02

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-407

Affected products

Vendor	Product
botan_project	botan

Description

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44378
[Vendor advisory]https://github.com/randombit/botan/security/advisories/GHSA-7q2v-3g27-6g3j

Related CVEs

Same CWE

CVE-2026-45664 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.3 MEDIUM)
CVE-2026-41850 — Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service... (7.5 HIGH)
CVE-2026-11312 — A vulnerability was found in bytedance InfiniStore up to 0.2.33 (3.3 LOW)
CVE-2026-8889 — Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist ... (7.5 HIGH)
CVE-2026-3276 — unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining cha...