Description
Issue summary: An invalid or NULL pointer dereference can happen in
an application processing a malformed PKCS#12 file.

Impact summary: An application processing a malformed PKCS#12 file can be
caused to dereference an invalid or NULL pointer on memory read, resulting
in a Denial of Service.

A type confusion vulnerability exists in PKCS#12 parsing code where
an ASN1_TYPE union member is accessed without first validating the type,
causing an invalid pointer read.

The location is constrained to a 1-byte address space, meaning any
attempted pointer manipulation can only target addresses between 0x00 and 0xFF.
This range corresponds to the zero page, which is unmapped on most modern
operating systems and will reliably result in a crash, leading only to a
Denial of Service. Exploiting this issue also requires a user or application
to process a maliciously crafted PKCS#12 file. It is uncommon to accept
untrusted PKCS#12 files in applications as they are usually used to store
private keys which are trusted by definition. For these reasons, the issue
was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.
Published: 2026-01-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via invalid pointer dereference
Action: Update OpenSSL
AI Analysis

Impact

A vulnerability in OpenSSL's PKCS#12 parsing allows a type confusion error when an ASN1_TYPE union member is accessed without validating the type. This leads to an invalid pointer access, which can cause a controlled denial of service by crashing the application. The flaw is limited to a 1-byte address space, so the crash is deterministic because the pointer will target the zero page, which is unmapped on most operating systems.

Affected Systems

Affected configurations include OpenSSL releases 1.1.1, 3.0, 3.3, 3.4, 3.5, and 3.6. The FIPS modules (3.5, 3.4, 3.3, 3.0) are excluded because the code lies outside the FIPS boundary, and OpenSSL 1.0.2 is unaffected.

Risk and Exploitability

The CVSS score is 5.5, indicating low severity, and the EPSS score is below 1%, so the exploitation probability is very low. The vulnerability is not in the CISA KEV catalog, and the attack requires a user or application to process a maliciously crafted PKCS#12 file, which is uncommon. Consequently, the risk is limited but still warrants addressing, especially in environments that load untrusted PKCS#12s or in high-security contexts.

Generated by OpenCVE AI on April 18, 2026 at 02:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSSL to a version that includes the fix or apply the patches from the referenced commits.
  • Validate source and integrity of any PKCS#12 file before loading, and avoid accepting untrusted files in production.
  • Run the application in a sandboxed or restricted environment (e.g., container or chroot) to contain a potential crash.

Generated by OpenCVE AI on April 18, 2026 at 02:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4490-1 openssl security update
Debian DSA Debian DSA DSA-6113-1 openssl security update
Ubuntu USN Ubuntu USN USN-7980-1 OpenSSL vulnerabilities
Ubuntu USN Ubuntu USN USN-7980-2 OpenSSL vulnerabilities
History

Mon, 02 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Thu, 29 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Low

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 27 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Description Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.
Title Missing ASN1_TYPE validation in PKCS#12 parsing
Weaknesses CWE-754
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-01-29T18:13:37.371Z

Reserved: 2026-01-09T18:54:13.570Z

Link: CVE-2026-22795

cve-icon Vulnrichment

Updated: 2026-01-28T20:03:22.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T16:16:35.430

Modified: 2026-02-02T18:41:14.917

Link: CVE-2026-22795

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-27T00:00:00Z

Links: CVE-2026-22795 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses