CVE-2026-42766 (GCVE-0-2026-42766)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:48
VLAI?
Title
Possible NULL Dereference in Password-Based CMS Decryption
Summary
Issue summary: A specially crafted password-encrypted CMS message
can trigger a NULL pointer dereference during CMS decryption.
Impact summary: This NULL pointer dereference leads to an application crash
and a Denial of Service.
The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as
OPTIONAL in the ASN.1 specification and may therefore be absent in specially
crafted inputs. During the password-based CMS decryption the OpenSSL
CMS implementation dereferences this field without first checking whether it
was present.
An attacker who supplies such a CMS message to an application performing
password-based CMS decryption can trigger an application crash, leading to
a Denial of Service.
Applications that process password-encrypted CMS messages may be affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity ?
No CVSS data available.
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Credits
Mayank Jangid
Kushal Khemka
Hari Priandana
Bhabani Sankar Das
Qifan Zhang (Palo Alto Networks)
Igor Ustinov
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:46:24.673332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:46:27.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1zh",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.0.2zq",
"status": "affected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mayank Jangid"
},
{
"lang": "en",
"type": "reporter",
"value": "Kushal Khemka"
},
{
"lang": "en",
"type": "reporter",
"value": "Hari Priandana"
},
{
"lang": "en",
"type": "reporter",
"value": "Bhabani Sankar Das"
},
{
"lang": "en",
"type": "reporter",
"value": "Qifan Zhang (Palo Alto Networks)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Igor Ustinov"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: A specially crafted password-encrypted CMS message\u003cbr\u003ecan trigger a NULL pointer dereference during CMS decryption.\u003cbr\u003e\u003cbr\u003eImpact summary: This NULL pointer dereference leads to an application crash\u003cbr\u003eand a Denial of Service.\u003cbr\u003e\u003cbr\u003eThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\u003cbr\u003eOPTIONAL in the ASN.1 specification and may therefore be absent in specially\u003cbr\u003ecrafted inputs. During the password-based CMS decryption the OpenSSL\u003cbr\u003eCMS implementation dereferences this field without first checking whether it\u003cbr\u003ewas present.\u003cbr\u003e\u003cbr\u003eAn attacker who supplies such a CMS message to an application performing\u003cbr\u003epassword-based CMS decryption can trigger an application crash, leading to\u003cbr\u003ea Denial of Service.\u003cbr\u003e\u003cbr\u003eApplications that process password-encrypted CMS messages may be affected.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\u003cbr\u003eissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"value": "Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Low"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:48:01.992Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Possible NULL Dereference in Password-Based CMS Decryption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-42766",
"datePublished": "2026-06-09T16:03:26.679Z",
"dateReserved": "2026-04-29T09:22:27.968Z",
"dateUpdated": "2026-06-10T07:48:01.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…