CVE-2024-26130: 
Python vulnerability analysis and mitigation

CVE-2024-26130 affects the cryptography package, a library designed to expose cryptographic primitives and recipes to Python developers. The vulnerability was discovered in versions 38.0.0 through 42.0.4 (excluding). The issue was disclosed on February 21, 2024, and has been patched in version 42.0.4 (GitHub Advisory).

The vulnerability is a NULL pointer dereference that occurs when pkcs12.serializekeyandcertificates is called with two specific conditions: a certificate whose public key does not match the provided private key, and an encryptionalgorithm with hmachash set via PrivateFormat.PKCS12.encryptionbuilder().hmac_hash(...). The issue has been assigned a CVSS v3.1 base score of 7.5 HIGH, with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability results in a crash of the Python process due to the NULL pointer dereference. This can lead to a denial of service condition, affecting the availability of applications using the vulnerable cryptography package versions (GitHub Advisory).

The recommended mitigation is to upgrade to cryptography version 42.0.4 or later, where the issue has been fixed. In the patched version, the code properly raises a ValueError instead of crashing when encountering mismatched keys and certificates (GitHub Advisory).