SCA: security update for cryptography (GHSA-r6ph-v2qm-q3c2)

high Tenable Self-Hosted Container Security Plugin ID 437685

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()),
EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not
verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation
allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security
issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key
negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this
leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this
reveals the least significant bits of the private key. When these weak public keys are used in ECDSA ,
it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This
vulnerability is fixed in 46.0.5. (CVE-2026-26007)

See Also

https://github.com/advisories/GHSA-r6ph-v2qm-q3c2

Plugin Details

Severity: High

ID: 437685

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 2/11/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.71

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-26007

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.2

Threat Score: 4.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/10/2026

Vulnerability Publication Date: 2/10/2026

Reference Information

CVE: CVE-2026-26007

cwe: CWE-345