Skip to main content

Red Hat CVE-2026-3446

| EUVDEUVD-2026-21545 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-04-10 PSF GHSA-8r9f-h969-mm4m
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 18:45 euvd
EUVD-2026-21545
Analysis Generated
Apr 10, 2026 - 18:45 vuln.today
Patch released
Apr 10, 2026 - 18:45 nvd
Patch available
CVE Published
Apr 10, 2026 - 18:17 nvd
MEDIUM 6.0

DescriptionCVE.org

When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data.

AnalysisAI

CPython's base64.b64decode() function prematurely stops processing after encountering the first padded quad, allowing malformed base64 data to be accepted that may be interpreted differently by other implementations. This affects CPython 3.13.x before 3.13.13, 3.14.x before 3.14.4, and 3.15.0a1 before 3.15.0a8, with authenticated remote attackers on high-complexity networks potentially inducing information disclosure (CVSS 6.0, EPSS risk level moderate). Upstream fixes are available in tagged commits; users should upgrade to patched versions or enable validate=True parameter for stricter base64 validation.

Technical ContextAI

The vulnerability resides in CPython's base64 module, specifically the b64decode() function and related decoding routines. Base64 encoding uses padding characters ('=') to signal the end of encoded data; RFC 4648 mandates that padding only appears at the end of a properly formatted base64 string. The defect causes the decoder to terminate immediately upon finding the first padded quad (a sequence ending with '=' characters), ignoring any subsequent valid base64 data in the input stream. This creates an interoperability issue where CPython accepts truncated or malformed base64 sequences that strictly compliant implementations would reject. The root cause is improper termination logic in the decoding state machine, allowing incomplete or deliberately crafted payloads to bypass validation. The CPE (cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*) identifies all CPython versions as potentially affected, with specific version ranges confirmed vulnerable.

RemediationAI

Users should upgrade to CPython 3.13.13, 3.14.4, or 3.15.0a8 (or later stable releases) where the base64 decoding logic has been corrected. The upstream fixes are available in commits 1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474, 4561f6418a691b3e89aef0901f53fe0dfb7f7c0e, and e31c55121620189a0d1a07b689762d8ca9c1b7fa within the CPython repository (https://github.com/python/cpython). As an immediate workaround, developers should explicitly call base64.b64decode(input_string, validate=True) to enforce stricter base64 validation and reject malformed sequences before the decoding process terminates prematurely. This parameter enables rejection of base64 input that does not strictly comply with RFC 4648. The Python security advisory and pull request #145267 provide additional implementation details and guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-3446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy