Miggo Logo
Miggo Vulnerability Database
CVE-2024-26130

CVE-2024-26130:
cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-26130
GHSA ID
GHSA-6vqw-3v5j-54x4
EPSS Score
0.48987%
CWE
CWE-476
Published
2/21/2024
Updated
2/6/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cryptographypip>= 38.0.0, < 42.0.442.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in serialize_key_and_certificates_to_pkcs12 because:

  1. The commit diff shows a NULL check was added to the p12 variable in this function
  2. The vulnerability description explicitly mentions pkcs12.serialize_key_and_certificates as the entry point
  3. The security advisory links to code changes in this specific function
  4. The test case added in test_pkcs12.py directly exercises this code path with mismatched key/cert
  5. The CWE-476 (NULL Pointer Dereference) matches the missing NULL check pattern shown in the patch

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

I* `pk*s**.s*ri*liz*_k*y_*n*_**rti*i**t*s` is **ll** wit* *ot*: *. * **rti*i**t* w*os* pu*li* k*y *i* not m*t** t** provi*** priv*t* k*y *. *n `*n*ryption_*l*orit*m` wit* `*m**_**s*` s*t (vi* `Priv*t**orm*t.PK*S**.*n*ryption_*uil**r().*m**_**s*(...)

Reasoning

T** vuln*r**ility m*ni**sts in s*ri*liz*_k*y_*n*_**rti*i**t*s_to_pk*s** ****us*: *. T** *ommit *i** s*ows * NULL ****k w*s ***** to t** p** v*ri**l* in t*is *un*tion *. T** vuln*r**ility **s*ription *xpli*itly m*ntions pk*s**.s*ri*liz*_k*y_*n*_**rti*