CVE-2026-45445 (GCVE-0-2026-45445)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:48
VLAI
Title
AES-OCB IV Ignored on EVP_Cipher() Path
Summary
Issue summary: When an application drives an AES-OCB context through the
public EVP_Cipher() one-shot interface, the application-supplied
initialisation vector (IV) is silently discarded.
Impact summary: Every message encrypted under the same key uses the
same effective nonce regardless of the IV supplied by the caller,
resulting in (key, nonce) reuse and loss of confidentiality. If the
same code path is used to compute the authentication tag, the tag
depends only on the (key, IV) pair and not on the plaintext or
ciphertext, allowing universal forgery of arbitrary ciphertext from a
single captured message.
OpenSSL provides two ways to drive a cipher: the documented streaming
interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level
one-shot, EVP_Cipher(), whose documentation explicitly recommends
against use by applications in favour of EVP_CipherUpdate() and
EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes
the application-supplied IV into the OCB context before processing
data; the one-shot handler did not. Every call to EVP_Cipher() on an
AES-OCB context therefore ran with the all-zero key-derived offset
state left by cipher initialisation, regardless of the caller's IV.
If EVP_EncryptFinal_ex() is subsequently used to obtain the
authentication tag, the deferred IV setup runs at that point and
clears the running checksum that should have been accumulated over the
plaintext. The resulting tag is a function of (key, IV) only and
verifies against any ciphertext produced under the same (key, IV)
pair.
The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a
TLS cipher suite, and libssl does not call EVP_Cipher() in any case.
Applications that drive AES-OCB through the documented streaming AEAD
API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only
applications that combine the AES-OCB cipher with the EVP_Cipher()
one-shot API are vulnerable.
The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by
this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-325 - Missing Cryptographic Step
Assigner
References
6 references
Impacted products
Date Public
2026-06-09 14:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:22:47.789275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:23:02.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Alex Gaynor (Anthropic)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Viktor Dukhovni"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: When an application drives an AES-OCB context through the\u003cbr\u003epublic EVP_Cipher() one-shot interface, the application-supplied\u003cbr\u003einitialisation vector (IV) is silently discarded.\u003cbr\u003e\u003cbr\u003eImpact summary: Every message encrypted under the same key uses the\u003cbr\u003esame effective nonce regardless of the IV supplied by the caller,\u003cbr\u003eresulting in (key, nonce) reuse and loss of confidentiality. If the\u003cbr\u003esame code path is used to compute the authentication tag, the tag\u003cbr\u003edepends only on the (key, IV) pair and not on the plaintext or\u003cbr\u003eciphertext, allowing universal forgery of arbitrary ciphertext from a\u003cbr\u003esingle captured message.\u003cbr\u003e\u003cbr\u003eOpenSSL provides two ways to drive a cipher: the documented streaming\u003cbr\u003einterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\u003cbr\u003eone-shot, EVP_Cipher(), whose documentation explicitly recommends\u003cbr\u003eagainst use by applications in favour of EVP_CipherUpdate() and\u003cbr\u003eEVP_CipherFinal_ex(). The OCB provider\u0027s streaming handler flushes\u003cbr\u003ethe application-supplied IV into the OCB context before processing\u003cbr\u003edata; the one-shot handler did not. Every call to EVP_Cipher() on an\u003cbr\u003eAES-OCB context therefore ran with the all-zero key-derived offset\u003cbr\u003estate left by cipher initialisation, regardless of the caller\u0027s IV.\u003cbr\u003e\u003cbr\u003eIf EVP_EncryptFinal_ex() is subsequently used to obtain the\u003cbr\u003eauthentication tag, the deferred IV setup runs at that point and\u003cbr\u003eclears the running checksum that should have been accumulated over the\u003cbr\u003eplaintext. The resulting tag is a function of (key, IV) only and\u003cbr\u003everifies against any ciphertext produced under the same (key, IV)\u003cbr\u003epair.\u003cbr\u003e\u003cbr\u003eThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\u003cbr\u003eTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\u003cbr\u003eApplications that drive AES-OCB through the documented streaming AEAD\u003cbr\u003eAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only\u003cbr\u003eapplications that combine the AES-OCB cipher with the EVP_Cipher()\u003cbr\u003eone-shot API are vulnerable.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\u003cbr\u003ethis issue, as AES-OCB is outside the OpenSSL FIPS module boundary."
}
],
"value": "Issue summary: When an application drives an AES-OCB context through the\npublic EVP_Cipher() one-shot interface, the application-supplied\ninitialisation vector (IV) is silently discarded.\n\nImpact summary: Every message encrypted under the same key uses the\nsame effective nonce regardless of the IV supplied by the caller,\nresulting in (key, nonce) reuse and loss of confidentiality. If the\nsame code path is used to compute the authentication tag, the tag\ndepends only on the (key, IV) pair and not on the plaintext or\nciphertext, allowing universal forgery of arbitrary ciphertext from a\nsingle captured message.\n\nOpenSSL provides two ways to drive a cipher: the documented streaming\ninterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\none-shot, EVP_Cipher(), whose documentation explicitly recommends\nagainst use by applications in favour of EVP_CipherUpdate() and\nEVP_CipherFinal_ex(). The OCB provider\u0027s streaming handler flushes\nthe application-supplied IV into the OCB context before processing\ndata; the one-shot handler did not. Every call to EVP_Cipher() on an\nAES-OCB context therefore ran with the all-zero key-derived offset\nstate left by cipher initialisation, regardless of the caller\u0027s IV.\n\nIf EVP_EncryptFinal_ex() is subsequently used to obtain the\nauthentication tag, the deferred IV setup runs at that point and\nclears the running checksum that should have been accumulated over the\nplaintext. The resulting tag is a function of (key, IV) only and\nverifies against any ciphertext produced under the same (key, IV)\npair.\n\nThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\nTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\nApplications that drive AES-OCB through the documented streaming AEAD\nAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only\napplications that combine the AES-OCB cipher with the EVP_Cipher()\none-shot API are vulnerable.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as AES-OCB is outside the OpenSSL FIPS module boundary."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Moderate"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-325",
"description": "CWE-325 Missing Cryptographic Step",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:48:10.949Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/843c9b94ca9c2ed248bb30127bb4f3d7af0d607c"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/787a6dfba81b7b09c1e05ab31396c0cd7c36b3f7"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/983d54b5cce8d16147548ed1a37892d1720bbab6"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "AES-OCB IV Ignored on EVP_Cipher() Path",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-45445",
"datePublished": "2026-06-09T16:03:31.338Z",
"dateReserved": "2026-05-12T14:34:06.276Z",
"dateUpdated": "2026-06-10T07:48:10.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-45445",
"date": "2026-06-11",
"epss": "0.0002",
"percentile": "0.05711"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-45445\",\"sourceIdentifier\":\"openssl-security@openssl.org\",\"published\":\"2026-06-09T17:17:18.993\",\"lastModified\":\"2026-06-10T08:16:24.507\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Issue summary: When an application drives an AES-OCB context through the\\npublic EVP_Cipher() one-shot interface, the application-supplied\\ninitialisation vector (IV) is silently discarded.\\n\\nImpact summary: Every message encrypted under the same key uses the\\nsame effective nonce regardless of the IV supplied by the caller,\\nresulting in (key, nonce) reuse and loss of confidentiality. If the\\nsame code path is used to compute the authentication tag, the tag\\ndepends only on the (key, IV) pair and not on the plaintext or\\nciphertext, allowing universal forgery of arbitrary ciphertext from a\\nsingle captured message.\\n\\nOpenSSL provides two ways to drive a cipher: the documented streaming\\ninterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\\none-shot, EVP_Cipher(), whose documentation explicitly recommends\\nagainst use by applications in favour of EVP_CipherUpdate() and\\nEVP_CipherFinal_ex(). The OCB provider\u0027s streaming handler flushes\\nthe application-supplied IV into the OCB context before processing\\ndata; the one-shot handler did not. Every call to EVP_Cipher() on an\\nAES-OCB context therefore ran with the all-zero key-derived offset\\nstate left by cipher initialisation, regardless of the caller\u0027s IV.\\n\\nIf EVP_EncryptFinal_ex() is subsequently used to obtain the\\nauthentication tag, the deferred IV setup runs at that point and\\nclears the running checksum that should have been accumulated over the\\nplaintext. The resulting tag is a function of (key, IV) only and\\nverifies against any ciphertext produced under the same (key, IV)\\npair.\\n\\nThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\\nTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\\nApplications that drive AES-OCB through the documented streaming AEAD\\nAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only\\napplications that combine the AES-OCB cipher with the EVP_Cipher()\\none-shot API are vulnerable.\\n\\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\\nthis issue, as AES-OCB is outside the OpenSSL FIPS module boundary.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"openssl-security@openssl.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-325\"}]}],\"references\":[{\"url\":\"https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/787a6dfba81b7b09c1e05ab31396c0cd7c36b3f7\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/843c9b94ca9c2ed248bb30127bb4f3d7af0d607c\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://github.com/openssl/openssl/commit/983d54b5cce8d16147548ed1a37892d1720bbab6\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://openssl-library.org/news/secadv/20260609.txt\",\"source\":\"openssl-security@openssl.org\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45445\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-09T19:22:47.789275Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-09T19:22:42.527Z\"}}], \"cna\": {\"title\": \"AES-OCB IV Ignored on EVP_Cipher() Path\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Alex Gaynor (Anthropic)\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Viktor Dukhovni\"}], \"metrics\": [{\"other\": {\"type\": \"https://openssl-library.org/policies/general/security-policy/\", \"content\": {\"text\": \"Moderate\"}}, \"format\": \"other\"}], \"affected\": [{\"vendor\": \"OpenSSL\", \"product\": \"OpenSSL\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"4.0.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.6.0\", \"lessThan\": \"3.6.3\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.5.0\", \"lessThan\": \"3.5.7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.4.0\", \"lessThan\": \"3.4.6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.0.21\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-06-09T14:00:00.000Z\", \"references\": [{\"url\": \"https://openssl-library.org/news/secadv/20260609.txt\", \"name\": \"OpenSSL Advisory\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/843c9b94ca9c2ed248bb30127bb4f3d7af0d607c\", \"name\": \"4.0.1 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/787a6dfba81b7b09c1e05ab31396c0cd7c36b3f7\", \"name\": \"3.6.3 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/983d54b5cce8d16147548ed1a37892d1720bbab6\", \"name\": \"3.5.7 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af\", \"name\": \"3.4.6 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451\", \"name\": \"3.0.21 git commit\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Issue summary: When an application drives an AES-OCB context through the\\npublic EVP_Cipher() one-shot interface, the application-supplied\\ninitialisation vector (IV) is silently discarded.\\n\\nImpact summary: Every message encrypted under the same key uses the\\nsame effective nonce regardless of the IV supplied by the caller,\\nresulting in (key, nonce) reuse and loss of confidentiality. If the\\nsame code path is used to compute the authentication tag, the tag\\ndepends only on the (key, IV) pair and not on the plaintext or\\nciphertext, allowing universal forgery of arbitrary ciphertext from a\\nsingle captured message.\\n\\nOpenSSL provides two ways to drive a cipher: the documented streaming\\ninterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\\none-shot, EVP_Cipher(), whose documentation explicitly recommends\\nagainst use by applications in favour of EVP_CipherUpdate() and\\nEVP_CipherFinal_ex(). The OCB provider\u0027s streaming handler flushes\\nthe application-supplied IV into the OCB context before processing\\ndata; the one-shot handler did not. Every call to EVP_Cipher() on an\\nAES-OCB context therefore ran with the all-zero key-derived offset\\nstate left by cipher initialisation, regardless of the caller\u0027s IV.\\n\\nIf EVP_EncryptFinal_ex() is subsequently used to obtain the\\nauthentication tag, the deferred IV setup runs at that point and\\nclears the running checksum that should have been accumulated over the\\nplaintext. The resulting tag is a function of (key, IV) only and\\nverifies against any ciphertext produced under the same (key, IV)\\npair.\\n\\nThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\\nTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\\nApplications that drive AES-OCB through the documented streaming AEAD\\nAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only\\napplications that combine the AES-OCB cipher with the EVP_Cipher()\\none-shot API are vulnerable.\\n\\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\\nthis issue, as AES-OCB is outside the OpenSSL FIPS module boundary.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Issue summary: When an application drives an AES-OCB context through the\u003cbr\u003epublic EVP_Cipher() one-shot interface, the application-supplied\u003cbr\u003einitialisation vector (IV) is silently discarded.\u003cbr\u003e\u003cbr\u003eImpact summary: Every message encrypted under the same key uses the\u003cbr\u003esame effective nonce regardless of the IV supplied by the caller,\u003cbr\u003eresulting in (key, nonce) reuse and loss of confidentiality. If the\u003cbr\u003esame code path is used to compute the authentication tag, the tag\u003cbr\u003edepends only on the (key, IV) pair and not on the plaintext or\u003cbr\u003eciphertext, allowing universal forgery of arbitrary ciphertext from a\u003cbr\u003esingle captured message.\u003cbr\u003e\u003cbr\u003eOpenSSL provides two ways to drive a cipher: the documented streaming\u003cbr\u003einterface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level\u003cbr\u003eone-shot, EVP_Cipher(), whose documentation explicitly recommends\u003cbr\u003eagainst use by applications in favour of EVP_CipherUpdate() and\u003cbr\u003eEVP_CipherFinal_ex(). The OCB provider\u0027s streaming handler flushes\u003cbr\u003ethe application-supplied IV into the OCB context before processing\u003cbr\u003edata; the one-shot handler did not. Every call to EVP_Cipher() on an\u003cbr\u003eAES-OCB context therefore ran with the all-zero key-derived offset\u003cbr\u003estate left by cipher initialisation, regardless of the caller\u0027s IV.\u003cbr\u003e\u003cbr\u003eIf EVP_EncryptFinal_ex() is subsequently used to obtain the\u003cbr\u003eauthentication tag, the deferred IV setup runs at that point and\u003cbr\u003eclears the running checksum that should have been accumulated over the\u003cbr\u003eplaintext. The resulting tag is a function of (key, IV) only and\u003cbr\u003everifies against any ciphertext produced under the same (key, IV)\u003cbr\u003epair.\u003cbr\u003e\u003cbr\u003eThe OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a\u003cbr\u003eTLS cipher suite, and libssl does not call EVP_Cipher() in any case.\u003cbr\u003eApplications that drive AES-OCB through the documented streaming AEAD\u003cbr\u003eAPI (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only\u003cbr\u003eapplications that combine the AES-OCB cipher with the EVP_Cipher()\u003cbr\u003eone-shot API are vulnerable.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\u003cbr\u003ethis issue, as AES-OCB is outside the OpenSSL FIPS module boundary.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-325\", \"description\": \"CWE-325 Missing Cryptographic Step\"}]}], \"providerMetadata\": {\"orgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"shortName\": \"openssl\", \"dateUpdated\": \"2026-06-10T07:48:10.949Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-45445\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-10T07:48:10.949Z\", \"dateReserved\": \"2026-05-12T14:34:06.276Z\", \"assignerOrgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"datePublished\": \"2026-06-09T16:03:31.338Z\", \"assignerShortName\": \"openssl\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…