pyOpenSSL patches DTLS cookie callback buffer overflow

TL;DR — Follow vendor remediation guidance and upgrade pyOpenSSL to >= 26.0.0 (the patched release called out by the project’s advisories) to address a DTLS cookie buffer overflow and a callback-bypass bug.

What happened

An oss-security post reports that pyOpenSSL 26.0.0 was released with fixes for two security issues:

• CVE-2026-27459 (Moderate): a buffer overflow can occur if a user-provided DTLS cookie generation callback (set_cookie_generate_callback) returns a cookie longer than 256 bytes.
• CVE-2026-27448 (Low): unhandled exceptions in set_tlsext_servername_callback previously allowed the TLS handshake to proceed “as if the callback had succeeded,” which could bypass security-sensitive logic implemented in that callback.

This matters because pyOpenSSL is a common dependency in Python TLS stacks and service runtimes; memory-safety bugs (even “Moderate”) in crypto/handshake-adjacent code are high-risk in production services due to crash potential and hard-to-audit exploitability.

Who is impacted

• Python projects that depend on pyopenssl (the PyPI package for pyOpenSSL).

What to do now

• Apply the upstream remediation by upgrading pyOpenSSL to a patched version (the advisories list >= 26.0.0 as patched).
• Inventory where pyopenssl is present (lockfiles, container images, base images) and prioritize:
  • internet-facing services that terminate TLS/DTLS in-process,
  • systems using DTLS features or custom cookie callbacks,
  • services using set_tlsext_servername_callback for security-relevant policy decisions.
• If you have custom callbacks:
  • verify DTLS cookie generation callbacks cannot return unbounded-length values,
  • ensure SNI callback failures are treated as fatal (post-upgrade behavior rejects the connection on unhandled exceptions).