Home / Vulnerability Intelligence / CVE-2026-32877

CVE-2026-32877 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: April 1, 2026

Botan - Out of Bounds Read

Published: March 30, 2026Updated: April 1, 2026Remote Exploitable

Overview

Botan 2.3.0 to < 3.11.0 contains a heap over-read caused by missing length check on SM2 decryption authentication code (C3), letting attackers cause crash or undefined behavior, exploit requires crafted invalid ciphertext.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 4.5%(Probability of exploitation in next 30 days)

Impact

Attackers can cause application crash or undefined behavior via heap over-read, potentially leading to denial of service.

Mitigation

Update to version 3.11.0 or later.

References

https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 30, 2026

🟠 CVE-2026-32877 - High (8.2) Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32877/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32877
Severity: High
CVSS Score: 8.2
Type: out_of_bounds_rw
Status: unconfirmed
EPSS: 4.5%
Social Posts: 1

CWE

CWE-125

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS Score

4.5%Probability of exploitation in the next 30 days