oss-sec mailing list archives
CPython [CVE-2026-3446] Base64 decoding stops at first padded quad by default
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 10 Apr 2026 18:50:35 -0700
-------- Forwarded Message --------Subject: [Security-announce]Title: [CVE-2026-3446] Base64 decoding stops at first padded quad by default
Date: Fri, 10 Apr 2026 18:19:00 +0000
From: Seth Larson <seth () python org>
Reply-To: security-sig () python org
To: security-announce () python org
There is a MEDIUM severity vulnerability affecting {project}.
When calling base64.b64decode() or related functions the decoding process would
stop after encountering the first padded quad regardless of whether there was
more information to be processed. This can lead to data being accepted which may
be processed differently by other implementations. Use "strict=True" to enable
stricter processing of base64 data.
Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-34460 * https://github.com/python/cpython/pull/145267 _______________________________________________ Security-announce mailing list -- security-announce () python org To unsubscribe send an email to security-announce-leave () python org https://mail.python.org/mailman3//lists/security-announce.python.org
Current thread:
- CPython [CVE-2026-3446] Base64 decoding stops at first padded quad by default Alan Coopersmith (Apr 10)
