Is ecdsa affected by CVE-2026-33936?

PyPI ecdsa is affected in <0.19.2.

Is CVE-2026-33936 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

medium

CVE-2026-33936

Q: Is CVE-2026-33936 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.5%.

PyPI · ecdsa

Summary

python-ecdsa: Denial of Service via improper DER length validation in crafted private keys

Severity: medium
EPSS: 0.5% (p37)
Also known as: GHSA-9f5j-8jwj-x28g
Published: 2026-03-27

References

https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g
https://nvd.nist.gov/vuln/detail/CVE-2026-33936
https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.