CVE-2026-27448
Publication date 18 March 2026
Last updated 5 June 2026
Ubuntu priority
Description
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.
Why is this CVE low priority?
This has been rated low severity by pyOpenSSL developers
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| pyopenssl | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Fixed 25.0.0-1ubuntu0.1
|
|
| 24.04 LTS noble |
Fixed 23.2.0-1ubuntu0.1
|
|
| 22.04 LTS jammy |
Fixed 21.0.0-1ubuntu0.1
|
|
| 20.04 LTS focal |
Fixed 19.0.0-1ubuntu0.1~esm1
|
|
| 18.04 LTS bionic |
Fixed 17.5.0-1ubuntu1+esm1
|
|
| 16.04 LTS xenial |
Fixed 0.15.1-2ubuntu0.2+esm1
|
|
| 14.04 LTS trusty |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-8115-1
- pyOpenSSL vulnerabilities
- 23 March 2026
- USN-8335-1
- pyOpenSSL vulnerability
- 28 May 2026