Vulnerability-Lookup

alsa-2026:25237

Vulnerability from osv_almalinux

Published

2026-06-11 00:00

Modified

2026-06-11 18:18

Summary

Important: openssl security update

Details

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode output sizing (CVE-2026-7383)
openssl: OpenSSL: Denial of Service due to heap out-of-bounds read in CMS password-based decryption (CVE-2026-9076)
openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of service or information disclosure. (CVE-2026-34180)
openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys (CVE-2026-34181)
openssl: CMS AuthEnvelopedData Processing May Accept Forged Messages (CVE-2026-34182)
openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler (CVE-2026-34183)
openssl: NULL pointer dereference in QUIC server initial packet handling (CVE-2026-42764)
openssl: Possible NULL Dereference in Password-Based CMS Decryption (CVE-2026-42766)
openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption (CVE-2026-42767)
openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() (CVE-2026-42768)
openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate (CVE-2026-42769)
openssl: FFC-DH Peer Validation Uses Attacker-Supplied q (CVE-2026-42770)
openssl: AES-OCB IV Ignored on EVP_Cipher() Path (CVE-2026-45445)
openssl: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (CVE-2026-45446)
openssl: Heap Use-After-Free in OpenSSL PKCS7_verify() (CVE-2026-45447)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:25237	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-34180	REPORT
	https://access.redhat.com/security/cve/CVE-2026-34181	REPORT
	https://access.redhat.com/security/cve/CVE-2026-34182	REPORT
	https://access.redhat.com/security/cve/CVE-2026-34183	REPORT
	https://access.redhat.com/security/cve/CVE-2026-42764	REPORT
	https://access.redhat.com/security/cve/CVE-2026-42766	REPORT
	https://access.redhat.com/security/cve/CVE-2026-42767	REPORT
	https://access.redhat.com/security/cve/CVE-2026-42768	REPORT
	https://access.redhat.com/security/cve/CVE-2026-42769	REPORT
	https://access.redhat.com/security/cve/CVE-2026-42770	REPORT
	https://access.redhat.com/security/cve/CVE-2026-45445	REPORT
	https://access.redhat.com/security/cve/CVE-2026-45446	REPORT
	https://access.redhat.com/security/cve/CVE-2026-45447	REPORT
	https://access.redhat.com/security/cve/CVE-2026-7383	REPORT
	https://access.redhat.com/security/cve/CVE-2026-9076	REPORT
	https://bugzilla.redhat.com/2481879	REPORT
	https://bugzilla.redhat.com/2481880	REPORT
	https://bugzilla.redhat.com/2481881	REPORT
	https://bugzilla.redhat.com/2481882	REPORT
	https://bugzilla.redhat.com/2481884	REPORT
	https://bugzilla.redhat.com/2481885	REPORT
	https://bugzilla.redhat.com/2481887	REPORT
	https://bugzilla.redhat.com/2481890	REPORT
	https://bugzilla.redhat.com/2481891	REPORT
	https://bugzilla.redhat.com/2481892	REPORT
	https://bugzilla.redhat.com/2481893	REPORT
	https://bugzilla.redhat.com/2481894	REPORT
	https://bugzilla.redhat.com/2481896	REPORT
	https://bugzilla.redhat.com/2481897	REPORT
	https://bugzilla.redhat.com/2481898	REPORT
	https://errata.almalinux.org/10/ALSA-2026-25237.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "openssl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:3.5.5-4.el10_2.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "openssl-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:3.5.5-4.el10_2.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "openssl-libs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:3.5.5-4.el10_2.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:10",
        "name": "openssl-perl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:3.5.5-4.el10_2.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.  \n\nSecurity Fix(es):  \n\n  * openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode output sizing (CVE-2026-7383)\n  * openssl: OpenSSL: Denial of Service due to heap out-of-bounds read in CMS password-based decryption (CVE-2026-9076)\n  * openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of service or information disclosure. (CVE-2026-34180)\n  * openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys (CVE-2026-34181)\n  * openssl: CMS AuthEnvelopedData Processing May Accept Forged Messages (CVE-2026-34182)\n  * openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler (CVE-2026-34183)\n  * openssl: NULL pointer dereference in QUIC server initial packet handling (CVE-2026-42764)\n  * openssl: Possible NULL Dereference in Password-Based CMS Decryption (CVE-2026-42766)\n  * openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption (CVE-2026-42767)\n  * openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() (CVE-2026-42768)\n  * openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate (CVE-2026-42769)\n  * openssl: FFC-DH Peer Validation Uses Attacker-Supplied q (CVE-2026-42770)\n  * openssl: AES-OCB IV Ignored on EVP_Cipher() Path (CVE-2026-45445)\n  * openssl: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (CVE-2026-45446)\n  * openssl: Heap Use-After-Free in OpenSSL PKCS7_verify() (CVE-2026-45447)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:25237",
  "modified": "2026-06-11T18:18:09Z",
  "published": "2026-06-11T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:25237"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-34180"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-34181"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-34182"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-34183"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42764"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42766"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42767"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42768"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42769"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42770"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-45445"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-45446"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-45447"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-7383"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-9076"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481879"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481880"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481881"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481882"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481884"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481885"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481887"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481890"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481891"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481892"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481893"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481894"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481896"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481897"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2481898"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/10/ALSA-2026-25237.html"
    }
  ],
  "related": [
    "CVE-2026-7383",
    "CVE-2026-9076",
    "CVE-2026-34180",
    "CVE-2026-34181",
    "CVE-2026-34182",
    "CVE-2026-34183",
    "CVE-2026-42764",
    "CVE-2026-42766",
    "CVE-2026-42767",
    "CVE-2026-42768",
    "CVE-2026-42769",
    "CVE-2026-42770",
    "CVE-2026-45445",
    "CVE-2026-45446",
    "CVE-2026-45447"
  ],
  "summary": "Important: openssl security update"
}

CVE-2026-45445 (GCVE-0-2026-45445)

Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:48

Title

AES-OCB IV Ignored on EVP_Cipher() Path

Summary

Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-325 - Missing Cryptographic Step

Assigner

openssl

References

6 references

URL	Tags
https://openssl-library.org/news/secadv/20260609.txt	vendor-advisory
https://github.com/openssl/openssl/commit/843c9b9…	patch
https://github.com/openssl/openssl/commit/787a6df…	patch
https://github.com/openssl/openssl/commit/983d54b…	patch
https://github.com/openssl/openssl/commit/7ac4715…	patch
https://github.com/openssl/openssl/commit/323f0b6…	patch

Impacted products

1 product

Vendor	Product	Version
OpenSSL	OpenSSL	Affected: 4.0.0 , < 4.0.1 (semver) Affected: 3.6.0 , < 3.6.3 (semver) Affected: 3.5.0 , < 3.5.7 (semver) Affected: 3.4.0 , < 3.4.6 (semver) Affected: 3.0.0 , < 3.0.21 (semver)

Date Public

2026-06-09 14:00

Credits

Alex Gaynor (Anthropic) Viktor Dukhovni

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-45445",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T19:22:47.789275Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T19:23:02.138Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.6.3",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5.7",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.6",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.21",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Alex Gaynor (Anthropic)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Viktor Dukhovni"
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: When an application drives an AES-OCB context through the\u003cbr\u003epublic EVP_Cipher() one-shot interface, the application-supplied\u003cbr\u003einitialisation vector (IV) is silently discarded.\u003cbr\u003e\u003cbr\u003eImpact summary: Every message encrypted under the same key uses the\u003cbr\u003esame effective nonce regardless of the IV supplied by the caller,\u003cbr\u003eresulting in (key, nonce) reuse and loss of confidentiality.  If the\u003cbr\u003esame code path is used to compute the authentication tag, the tag\u003cbr\u003edepends only on the (key, IV) pair and not on the plaintext or\u003cbr\u003eciphertext, allowing universal forgery of arbitrary ciphertext from a\u003cbr\u003esingle captured message.\u003cbr\u003e\u003cbr\u003eOpenSSL provides two ways to drive a cipher: the documented streaming\u003cbr\u003einterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\u003cbr\u003eone-shot, EVP_Cipher(), whose documentation explicitly recommends\u003cbr\u003eagainst use by applications in favour of EVP_CipherUpdate() and\u003cbr\u003eEVP_CipherFinal_ex().  The OCB provider\u0027s streaming handler flushes\u003cbr\u003ethe application-supplied IV into the OCB context before processing\u003cbr\u003edata; the one-shot handler did not.  Every call to EVP_Cipher() on an\u003cbr\u003eAES-OCB context therefore ran with the all-zero key-derived offset\u003cbr\u003estate left by cipher initialisation, regardless of the caller\u0027s IV.\u003cbr\u003e\u003cbr\u003eIf EVP_EncryptFinal_ex() is subsequently used to obtain the\u003cbr\u003eauthentication tag, the deferred IV setup runs at that point and\u003cbr\u003eclears the running checksum that should have been accumulated over the\u003cbr\u003eplaintext.  The resulting tag is a function of (key, IV) only and\u003cbr\u003everifies against any ciphertext produced under the same (key, IV)\u003cbr\u003epair.\u003cbr\u003e\u003cbr\u003eThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\u003cbr\u003eTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\u003cbr\u003eApplications that drive AES-OCB through the documented streaming AEAD\u003cbr\u003eAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected.  Only\u003cbr\u003eapplications that combine the AES-OCB cipher with the EVP_Cipher()\u003cbr\u003eone-shot API are vulnerable.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\u003cbr\u003ethis issue, as AES-OCB is outside the OpenSSL FIPS module boundary."
            }
          ],
          "value": "Issue summary: When an application drives an AES-OCB context through the\npublic EVP_Cipher() one-shot interface, the application-supplied\ninitialisation vector (IV) is silently discarded.\n\nImpact summary: Every message encrypted under the same key uses the\nsame effective nonce regardless of the IV supplied by the caller,\nresulting in (key, nonce) reuse and loss of confidentiality.  If the\nsame code path is used to compute the authentication tag, the tag\ndepends only on the (key, IV) pair and not on the plaintext or\nciphertext, allowing universal forgery of arbitrary ciphertext from a\nsingle captured message.\n\nOpenSSL provides two ways to drive a cipher: the documented streaming\ninterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\none-shot, EVP_Cipher(), whose documentation explicitly recommends\nagainst use by applications in favour of EVP_CipherUpdate() and\nEVP_CipherFinal_ex().  The OCB provider\u0027s streaming handler flushes\nthe application-supplied IV into the OCB context before processing\ndata; the one-shot handler did not.  Every call to EVP_Cipher() on an\nAES-OCB context therefore ran with the all-zero key-derived offset\nstate left by cipher initialisation, regardless of the caller\u0027s IV.\n\nIf EVP_EncryptFinal_ex() is subsequently used to obtain the\nauthentication tag, the deferred IV setup runs at that point and\nclears the running checksum that should have been accumulated over the\nplaintext.  The resulting tag is a function of (key, IV) only and\nverifies against any ciphertext produced under the same (key, IV)\npair.\n\nThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\nTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\nApplications that drive AES-OCB through the documented streaming AEAD\nAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected.  Only\napplications that combine the AES-OCB cipher with the EVP_Cipher()\none-shot API are vulnerable.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as AES-OCB is outside the OpenSSL FIPS module boundary."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Moderate"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-325",
              "description": "CWE-325 Missing Cryptographic Step",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T07:48:10.949Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "name": "4.0.1 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/843c9b94ca9c2ed248bb30127bb4f3d7af0d607c"
        },
        {
          "name": "3.6.3 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/787a6dfba81b7b09c1e05ab31396c0cd7c36b3f7"
        },
        {
          "name": "3.5.7 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/983d54b5cce8d16147548ed1a37892d1720bbab6"
        },
        {
          "name": "3.4.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af"
        },
        {
          "name": "3.0.21 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "AES-OCB IV Ignored on EVP_Cipher() Path",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2026-45445",
    "datePublished": "2026-06-09T16:03:31.338Z",
    "dateReserved": "2026-05-12T14:34:06.276Z",
    "dateUpdated": "2026-06-10T07:48:10.949Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45446 (GCVE-0-2026-45446)

Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:48

Title

Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes

Summary

Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.

Severity

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-325 - Missing Cryptographic Step

Assigner

openssl

References

6 references

URL	Tags
https://openssl-library.org/news/secadv/20260609.txt	vendor-advisory
https://github.com/openssl/openssl/commit/25b32cd…	patch
https://github.com/openssl/openssl/commit/eec5e9b…	patch
https://github.com/openssl/openssl/commit/7fe3f33…	patch
https://github.com/openssl/openssl/commit/daca0f4…	patch
https://github.com/openssl/openssl/commit/71e2a5d…	patch

Impacted products

1 product

Vendor	Product	Version
OpenSSL	OpenSSL	Affected: 4.0.0 , < 4.0.1 (semver) Affected: 3.6.0 , < 3.6.3 (semver) Affected: 3.5.0 , < 3.5.7 (semver) Affected: 3.4.0 , < 3.4.6 (semver) Affected: 3.0.0 , < 3.0.21 (semver)

Date Public

2026-06-09 14:00

Credits

Alex Gaynor (Anthropic) Dmitry Belyavskiy (Red Hat)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.8,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-45446",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T18:48:41.903041Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T18:49:07.756Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.6.3",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5.7",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.6",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.21",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Alex Gaynor (Anthropic)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Dmitry Belyavskiy (Red Hat)"
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV\u003cbr\u003e(RFC 8452) mishandle the authentication of AAD (Additional Authenticated\u003cbr\u003eData) with an empty ciphertext allowing a forgery of such messages.\u003cbr\u003e\u003cbr\u003eImpact summary: An attacker can forge empty messages with arbitrary AAD\u003cbr\u003eto the victim\u0027s application using these ciphers.\u003cbr\u003e\u003cbr\u003eAES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD\u003cbr\u003emodes: they accept a key, nonce, optional AAD (bytes that are authenticated\u003cbr\u003ebut not encrypted), and plaintext, and produces ciphertext plus a 16-byte\u003cbr\u003etag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only\u003cbr\u003eif the tag is verified succesfully.\u003cbr\u003e\u003cbr\u003eIn OpenSSL\u0027s provider implementation of these ciphers, the expected tag is\u003cbr\u003ecomputed only when decryption function is invoked with non-empty data.\u003cbr\u003eIf the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without\u003cbr\u003einvocation of the ciphertext update, which can happen when the received\u003cbr\u003eciphertext length is zero, the tag is never recalculated and still holds its\u003cbr\u003eall-zeros value.\u003cbr\u003e\u003cbr\u003eWhen AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty\u003cbr\u003eciphertext, and all-zeros tag passes authentication under any key they do not\u003cbr\u003eknow, single-shot. When AES-SIV is used, for mounting the attack it\u0027s\u003cbr\u003enecessary for the application to reuse the decryption context without\u003cbr\u003eresetting the key.\u003cbr\u003e\u003cbr\u003eAES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since\u003cbr\u003eOpenSSL 3.2.\u003cbr\u003e\u003cbr\u003eNo protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support\u003cbr\u003eeither AES-GCM-SIV or AES-SIV. To mount an attack, the applications must\u003cbr\u003eimplement their own protocol and use the EVP interface. Also they must skip the\u003cbr\u003eciphertext update when a message with an empty ciphertext arrives.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\u003cbr\u003eissue, as these algorithms are not FIPS approved and the affected code is\u003cbr\u003eoutside the OpenSSL FIPS module boundary."
            }
          ],
          "value": "Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV\n(RFC 8452) mishandle the authentication of AAD (Additional Authenticated\nData) with an empty ciphertext allowing a forgery of such messages.\n\nImpact summary: An attacker can forge empty messages with arbitrary AAD\nto the victim\u0027s application using these ciphers.\n\nAES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD\nmodes: they accept a key, nonce, optional AAD (bytes that are authenticated\nbut not encrypted), and plaintext, and produces ciphertext plus a 16-byte\ntag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only\nif the tag is verified succesfully.\n\nIn OpenSSL\u0027s provider implementation of these ciphers, the expected tag is\ncomputed only when decryption function is invoked with non-empty data.\nIf the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without\ninvocation of the ciphertext update, which can happen when the received\nciphertext length is zero, the tag is never recalculated and still holds its\nall-zeros value.\n\nWhen AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty\nciphertext, and all-zeros tag passes authentication under any key they do not\nknow, single-shot. When AES-SIV is used, for mounting the attack it\u0027s\nnecessary for the application to reuse the decryption context without\nresetting the key.\n\nAES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since\nOpenSSL 3.2.\n\nNo protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support\neither AES-GCM-SIV or AES-SIV. To mount an attack, the applications must\nimplement their own protocol and use the EVP interface. Also they must skip the\nciphertext update when a message with an empty ciphertext arrives.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as these algorithms are not FIPS approved and the affected code is\noutside the OpenSSL FIPS module boundary."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Low"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-325",
              "description": "CWE-325 Missing Cryptographic Step",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T07:48:14.092Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "name": "4.0.1 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc"
        },
        {
          "name": "3.6.3 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/eec5e9bf0d867333b8495e456f5235d225798a68"
        },
        {
          "name": "3.5.7 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85"
        },
        {
          "name": "3.4.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/daca0f48e4a69a2892a62262bad59e62a8a76598"
        },
        {
          "name": "3.0.21 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2026-45446",
    "datePublished": "2026-06-09T16:03:32.120Z",
    "dateReserved": "2026-05-12T14:34:06.277Z",
    "dateUpdated": "2026-06-10T07:48:14.092Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45447 (GCVE-0-2026-45447)

Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 13:32

Title

Heap Use-After-Free in the PKCS7_verify() Function

Summary

Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-416 - Use After Free

Assigner

openssl

References

6 references

URL	Tags
https://openssl-library.org/news/secadv/20260609.txt	vendor-advisory
https://github.com/openssl/openssl/commit/3aad5eb…	patch
https://github.com/openssl/openssl/commit/c505d75…	patch
https://github.com/openssl/openssl/commit/7d4a980…	patch
https://github.com/openssl/openssl/commit/a541ae8…	patch
https://github.com/openssl/openssl/commit/9dfd688…	patch

Impacted products

1 product

Vendor	Product	Version
OpenSSL	OpenSSL	Affected: 4.0.0 , < 4.0.1 (semver) Affected: 3.6.0 , < 3.6.3 (semver) Affected: 3.5.0 , < 3.5.7 (semver) Affected: 3.4.0 , < 3.4.6 (semver) Affected: 3.0.0 , < 3.0.21 (semver) Affected: 1.1.1 , < 1.1.1zh (custom) Affected: 1.0.2 , < 1.0.2zq (custom)

Date Public

2026-06-09 14:00

Credits

Thai Duong (Calif.io in collaboration with Claude and Anthropic Research) Igor Ustinov

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-45447",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:59:38.212378Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:32:20.413Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.6.3",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5.7",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.6",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.21",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.1.1zh",
              "status": "affected",
              "version": "1.1.1",
              "versionType": "custom"
            },
            {
              "lessThan": "1.0.2zq",
              "status": "affected",
              "version": "1.0.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Thai Duong (Calif.io in collaboration with Claude and Anthropic Research)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Igor Ustinov"
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\u003cbr\u003etrigger a use-after-free during PKCS#7 signature verification.\u003cbr\u003e\u003cbr\u003eImpact summary: A use-after-free may result in process crashes, heap\u003cbr\u003ecorruption, or potentially remote code execution.\u003cbr\u003e\u003cbr\u003eWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\u003cbr\u003edigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\u003cbr\u003eincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\u003cbr\u003euse of the BIO by the calling application results in a use-after-free\u003cbr\u003econdition.\u003cbr\u003e\u003cbr\u003eIn the common case this occurs when the application later calls\u003cbr\u003eBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\u003cbr\u003eon allocator behavior and application-specific BIO usage patterns, this\u003cbr\u003emay result in a crash or other memory corruption. In some application\u003cbr\u003econtexts this may potentially be exploitable for remote code execution.\u003cbr\u003e\u003cbr\u003eApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\u003cbr\u003ePKCS#7 APIs may be affected. Applications using the CMS APIs for this\u003cbr\u003eprocessing are not affected.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\u003cbr\u003eissue, as the affected code is outside the OpenSSL FIPS module boundary."
            }
          ],
          "value": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\ntrigger a use-after-free during PKCS#7 signature verification.\n\nImpact summary: A use-after-free may result in process crashes, heap\ncorruption, or potentially remote code execution.\n\nWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\ndigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\nincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\nuse of the BIO by the calling application results in a use-after-free\ncondition.\n\nIn the common case this occurs when the application later calls\nBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\non allocator behavior and application-specific BIO usage patterns, this\nmay result in a crash or other memory corruption. In some application\ncontexts this may potentially be exploitable for remote code execution.\n\nApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\nPKCS#7 APIs may be affected. Applications using the CMS APIs for this\nprocessing are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "High"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T07:48:15.381Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "name": "4.0.1 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c"
        },
        {
          "name": "3.6.3 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e"
        },
        {
          "name": "3.5.7 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8"
        },
        {
          "name": "3.4.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c"
        },
        {
          "name": "3.0.21 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Heap Use-After-Free in the PKCS7_verify() Function",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2026-45447",
    "datePublished": "2026-06-09T16:03:32.914Z",
    "dateReserved": "2026-05-12T14:34:06.277Z",
    "dateUpdated": "2026-06-10T13:32:20.413Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7383 (GCVE-0-2026-7383)

Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:47

Title

Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion

Summary

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-787 - Out-of-bounds Write

Assigner

openssl

References

6 references

URL	Tags
https://openssl-library.org/news/secadv/20260609.txt	vendor-advisory
https://github.com/openssl/openssl/commit/d32350a…	patch
https://github.com/openssl/openssl/commit/c332ada…	patch
https://github.com/openssl/openssl/commit/80c15fa…	patch
https://github.com/openssl/openssl/commit/4f8d2bd…	patch
https://github.com/openssl/openssl/commit/bd17511…	patch

Impacted products

1 product

Vendor	Product	Version
OpenSSL	OpenSSL	Affected: 4.0.0 , < 4.0.1 (semver) Affected: 3.6.0 , < 3.6.3 (semver) Affected: 3.5.0 , < 3.5.7 (semver) Affected: 3.4.0 , < 3.4.6 (semver) Affected: 3.0.0 , < 3.0.21 (semver) Affected: 1.1.1 , < 1.1.1zh (custom) Affected: 1.0.2 , < 1.0.2zq (custom)

Date Public

2026-06-09 14:00

Credits

Zehua Qiao Jinwen He Viktor Dukhovni

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-7383",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T03:58:57.944Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.6.3",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5.7",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.6",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.21",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.1.1zh",
              "status": "affected",
              "version": "1.1.1",
              "versionType": "custom"
            },
            {
              "lessThan": "1.0.2zq",
              "status": "affected",
              "version": "1.0.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Zehua Qiao"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Jinwen He"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Viktor Dukhovni"
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: A signed integer overflow when sizing the destination\u003cbr\u003ebuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\u003cbr\u003ebuffer overflow.\u003cbr\u003e\u003cbr\u003eImpact summary: A heap buffer overflow may lead to a crash or possibly\u003cbr\u003eattacker controlled code execution or other undefined behaviour.\u003cbr\u003e\u003cbr\u003eIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\u003cbr\u003esize for Unicode output is computed in a signed int: by left shift\u003cbr\u003eof the input character count for BMPSTRING (UTF-16) and\u003cbr\u003eUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\u003cbr\u003efor UTF8STRING. The calculation overflows when the input reaches\u003cbr\u003earound 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\u003cbr\u003echaracters) the size wraps to zero, OPENSSL_malloc(1) is called, and\u003cbr\u003ethe subsequent character copy writes several gigabytes past the\u003cbr\u003eone-byte allocation.\u003cbr\u003e\u003cbr\u003eX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\u003cbr\u003ewhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\u003cbr\u003esize limits cap the input length; no network protocol or\u003cbr\u003ecertificate-handling path in OpenSSL exercises the overflow.\u003cbr\u003eTriggering the bug requires an application that calls\u003cbr\u003eASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\u003cbr\u003ea custom string type via ASN1_STRING_TABLE_add(), with\u003cbr\u003eattacker-controlled input on the order of half a gigabyte or more.\u003cbr\u003eFor these reasons this issue was assigned Low severity.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\u003cbr\u003ethis issue, as the affected code is outside the OpenSSL FIPS module\u003cbr\u003eboundary."
            }
          ],
          "value": "Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Low"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T07:47:47.578Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "name": "4.0.1 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255"
        },
        {
          "name": "3.6.3 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083"
        },
        {
          "name": "3.5.7 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74"
        },
        {
          "name": "3.4.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6"
        },
        {
          "name": "3.0.21 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2026-7383",
    "datePublished": "2026-06-09T16:03:15.508Z",
    "dateReserved": "2026-04-29T08:21:07.253Z",
    "dateUpdated": "2026-06-10T07:47:47.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-9076 (GCVE-0-2026-9076)

Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:47

Title

Out-of-Bounds Read in CMS Password-Based Decryption

Summary

Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-125 - Out-of-bounds Read

Assigner

openssl

References

6 references

URL	Tags
https://openssl-library.org/news/secadv/20260609.txt	vendor-advisory
https://github.com/openssl/openssl/commit/3d8d5bc…	patch
https://github.com/openssl/openssl/commit/77bf00a…	patch
https://github.com/openssl/openssl/commit/715349a…	patch
https://github.com/openssl/openssl/commit/05b0663…	patch
https://github.com/openssl/openssl/commit/eecbe33…	patch

Impacted products

1 product

Vendor	Product	Version
OpenSSL	OpenSSL	Affected: 4.0.0 , < 4.0.1 (semver) Affected: 3.6.0 , < 3.6.3 (semver) Affected: 3.5.0 , < 3.5.7 (semver) Affected: 3.4.0 , < 3.4.6 (semver) Affected: 3.0.0 , < 3.0.21 (semver) Affected: 1.1.1 , < 1.1.1zh (custom) Affected: 1.0.2 , < 1.0.2zq (custom)

Date Public

2026-06-09 14:00

Credits

Bhabani Sankar Das Haruki Oyama (Waseda University) Nikola Pajkovsky

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-9076",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T19:04:07.840133Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T19:04:20.258Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.6.3",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5.7",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.6",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.21",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.1.1zh",
              "status": "affected",
              "version": "1.1.1",
              "versionType": "custom"
            },
            {
              "lessThan": "1.0.2zq",
              "status": "affected",
              "version": "1.0.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Bhabani Sankar Das"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Haruki Oyama (Waseda University)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Nikola Pajkovsky"
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)\u003cbr\u003eprocesses attacker-supplied CMS data, an attacker-chosen stream-mode KEK\u003cbr\u003ecipher can trigger a heap out-of-bounds read in kek_unwrap_key().\u003cbr\u003e\u003cbr\u003eImpact summary: A heap buffer over-read may trigger a crash which leads to\u003cbr\u003eDenial of Service for an application if the input buffer ends at a memory\u003cbr\u003epage boundary and the following page is unmapped. There is no information\u003cbr\u003edisclosure as the over-read bytes are not revealed to the attacker.\u003cbr\u003e\u003cbr\u003eThe key unwrapping function performs a check-byte test as specified in the\u003cbr\u003eRFC that reads 7 bytes from a heap allocation that is based on the wrapped\u003cbr\u003ekey length from the message. There is a minimum length check based on the\u003cbr\u003eblock length of the wrapping cipher. However the cipher is selected from\u003cbr\u003ean OID carried in the attacker\u0027s PWRI keyEncryptionAlgorithm with no\u003cbr\u003erequirement that the cipher be a block cipher. When an attacker selects\u003cbr\u003ea stream-mode cipher the guard will be ineffective and the allocated buffer\u003cbr\u003econtaining the unwrapped key can be too small to fit the check-bytes\u003cbr\u003especified in the RFC and a buffer over-read can happen.\u003cbr\u003e\u003cbr\u003eApplications calling CMS_decrypt() or CMS_decrypt_set1_password()\u003cbr\u003e(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS\u003cbr\u003edata are vulnerable to this issue. No password knowledge is required: the\u003cbr\u003eover-read happens during the unwrap attempt before any authentication\u003cbr\u003esucceeds.\u003cbr\u003e\u003cbr\u003eThe over-read is limited to a few bytes and is not written to output, so\u003cbr\u003ethere is no information disclosure. Triggering a crash requires the\u003cbr\u003eallocation to border unmapped memory, which is unlikely with the normal\u003cbr\u003eallocator.\u003cbr\u003e\u003cbr\u003eThe FIPS modules are not affected by this issue."
            }
          ],
          "value": "Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)\nprocesses attacker-supplied CMS data, an attacker-chosen stream-mode KEK\ncipher can trigger a heap out-of-bounds read in kek_unwrap_key().\n\nImpact summary: A heap buffer over-read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not revealed to the attacker.\n\nThe key unwrapping function performs a check-byte test as specified in the\nRFC that reads 7 bytes from a heap allocation that is based on the wrapped\nkey length from the message. There is a minimum length check based on the\nblock length of the wrapping cipher. However the cipher is selected from\nan OID carried in the attacker\u0027s PWRI keyEncryptionAlgorithm with no\nrequirement that the cipher be a block cipher. When an attacker selects\na stream-mode cipher the guard will be ineffective and the allocated buffer\ncontaining the unwrapped key can be too small to fit the check-bytes\nspecified in the RFC and a buffer over-read can happen.\n\nApplications calling CMS_decrypt() or CMS_decrypt_set1_password()\n(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS\ndata are vulnerable to this issue. No password knowledge is required: the\nover-read happens during the unwrap attempt before any authentication\nsucceeds.\n\nThe over-read is limited to a few bytes and is not written to output, so\nthere is no information disclosure. Triggering a crash requires the\nallocation to border unmapped memory, which is unlikely with the normal\nallocator.\n\nThe FIPS modules are not affected by this issue."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Low"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T07:47:51.139Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "name": "4.0.1 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/3d8d5bc1056b2f62da9fede23fedbf47e85187b0"
        },
        {
          "name": "3.6.3 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/77bf00ab13f6ff5e516535432f0328ed70ec0c26"
        },
        {
          "name": "3.5.7 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/715349a1d7c6db970e6815dafb90915f07307f98"
        },
        {
          "name": "3.4.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/05b066366842f930fadd9a6e94df98030af431bb"
        },
        {
          "name": "3.0.21 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Out-of-Bounds Read in CMS Password-Based Decryption",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2026-9076",
    "datePublished": "2026-06-09T16:03:16.306Z",
    "dateReserved": "2026-05-20T12:43:37.677Z",
    "dateUpdated": "2026-06-10T07:47:51.139Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2026:25237

Vulnerability from osv_almalinux

CVE-2026-45445 (GCVE-0-2026-45445)

CVE-2026-45446 (GCVE-0-2026-45446)

CVE-2026-45447 (GCVE-0-2026-45447)

CVE-2026-7383 (GCVE-0-2026-7383)

CVE-2026-9076 (GCVE-0-2026-9076)

Tags

Sightings

Nomenclature