PatchSiren cyber security CVE debrief

CVE-2013-7459 Fedoraproject CVE debrief

CVE-2013-7459 is a critical memory-corruption flaw in the Python Cryptography Toolkit (pycrypto). NVD describes it as a heap-based buffer overflow in ALGnew in block_templace.c that can be triggered with a crafted IV parameter to cryptmsg.py, and the stated impact is remote code execution. The issue was publicly discussed before the CVE record was published, and the available references point to a patch and downstream package advisories.

Vendor: Fedoraproject
Product: CVE-2013-7459
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-15
Original CVE updated: 2026-05-13
Advisory published: 2017-02-15
Advisory updated: 2026-05-13

Who should care

Security teams, Linux/package maintainers, and developers operating applications that depend on pycrypto—especially deployments that still include pycrypto 2.6.1 or earlier, or Fedora 24/25 packages referenced in the NVD record.

Technical summary

NVD maps this issue to CWE-119 and rates it CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerable code path is identified as ALGnew in block_templace.c within pycrypto, where malformed input can overflow a heap buffer. The record lists affected pycrypto versions through 2.6.1, and also marks Fedora 24 and Fedora 25 as vulnerable in the supplied CPE criteria.

Defensive priority

Urgent. Treat as a high-priority remediation item wherever pycrypto is present, because the published impact is unauthenticated network-reachable RCE with full confidentiality, integrity, and availability impact.

Recommended defensive actions

Inventory systems and applications that bundle or import pycrypto, and flag any installation at version 2.6.1 or earlier.
Apply the vendor or downstream patched package referenced in the corpus, or replace pycrypto with a maintained alternative if the library is no longer supported in your stack.
Prioritize remediation on Fedora 24/25 systems referenced by the NVD CPE criteria, using the relevant package advisory channels in the source corpus.
Review any service or utility that accepts untrusted IV or ciphertext-related inputs and confirm it is no longer using the affected code path.
After patching, verify remediation through dependency and package inventory scans so the vulnerable library is no longer present in production images or hosts.

Evidence notes

Supported by the NVD record and linked references in the corpus: the NVD entry states a heap-based buffer overflow in ALGnew in block_templace.c and assigns CVSS 3.0 9.8 with CWE-119; the affected CPEs include dlitz:pycrypto through 2.6.1 plus Fedora 24 and 25. Public discussion is referenced via the oss-security mailing list, and remediation evidence is provided by the pycrypto patch commit and issue tracker entry. The corpus also includes downstream advisories from Red Hat and Gentoo.

Official resources

CVE-2013-7459 CVE record
CVE.org
CVE-2013-7459 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

The corpus shows public discussion on 2016-12-27 via the oss-security mailing list, followed by the CVE record publication on 2017-02-15. The record was later modified on 2026-05-13. No KEV listing is included in the supplied data.