Description
Issue Summary: Cryptographic Message Services (CMS) processing fails to perform
sufficient input validation on the cipher and tag length fields of
AuthEnvelopedData containers, leading to various potential compromises.

Impact Summary: Attackers making use of these vulnerabilities may achieve
key-equivalent functionality for a given CMS recipient and/or bypass integrity
validation for a given message.

In one use case, an attacker may send a CMS message containing
AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL
erroneously allows this selection, and attempts to decrypt and validate the
message.

An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData
addressed to the victim can re-emit it with the recipientInfos set left
byte-for-byte intact, so the victim's private key still unwraps the genuine CEK
(the content-encryption key), but with the inner OID rewritten to AES-256-OFB
(Output Feedback Mode, an unauthenticated keystream mode) and with an
attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the
real CEK, never consults the MAC field, and CMS_decrypt() returns success.

If the application under attack responds to the attacker with any indicator
showing success or failure of the decryption effort, it is possible for the
attacker to use this as an oracle to obtain key equivalent functionality for the
CEK used for the chosen recipient of the message.

In another use case, an attacker can reduce the tag length of the chosen AEAD
cipher for a given AuthEnvelopedData container to be a single byte long,
allowing an attacker to brute force CMS decryption, producing an integrity
bypass for applications that trust CMS_decrypt() to reject modified content.

The FIPS modules are not affected by this issue.
Published: 2026-06-09
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenSSL’s CMS implementation does not properly verify the cipher algorithm and tag length fields in AuthEnvelopedData messages. An attacker can transmit a forged CMS message that specifies a non‑authenticated cipher or a shortened tag length. The library in this configuration will still decrypt the message and report success, yielding decryption capability for a legitimate recipient key or bypassing authenticity checks. The impact is that modified data can be processed as if it were genuine and that an attacker may recover the equivalent decryption key for a given recipient.

Affected Systems

The flaw affects the OpenSSL library. No specific product versions are listed by the CNA; therefore any OpenSSL installation that processes CMS data is potentially impacted.

Risk and Exploitability

The advisory references CWE-354, a weakness in authentication and integrity checks, but does not provide a CVSS score, EPSS score, or KEV status. The described attack scenarios require an attacker who can intercept, modify, or replay CMS traffic, indicating that the vulnerability is exploitable in environments that use CMS. Given the absence of severity metrics, the risk remains uncertain, but the potential for key-equivalent compromise and integrity bypass supports the recommendation to address the issue promptly.

Generated by OpenCVE AI on June 9, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenSSL to the latest release that contains the security commits listed in the advisory references, ensuring that applications use the patched source.
  • Rebuild or relink any software that links to OpenSSL so the updated library is loaded and used at compile and runtime, and verify that no legacy CMS handling code remains.
  • If an immediate upgrade is infeasible, employ a defensive filter that rejects AuthEnvelopedData messages that do not use an authenticated AEAD cipher or that specify a tag length inconsistent with the algorithm, thereby preventing the forged return of successful decryption values.

Generated by OpenCVE AI on June 9, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
Ubuntu USN Ubuntu USN USN-8414-2 OpenSSL vulnerabilities
History

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.
Title CMS AuthEnvelopedData Processing May Accept Forged Messages
Weaknesses CWE-354
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-09T16:03:22.848Z

Reserved: 2026-03-26T09:29:36.013Z

Link: CVE-2026-34182

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:04.857

Modified: 2026-06-09T19:38:32.463

Link: CVE-2026-34182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T18:00:12Z

Weaknesses