Description
Issue Summary: Cryptographic Message Services (CMS) processing fails to perform
sufficient input validation on the cipher and tag length fields of
AuthEnvelopedData containers, leading to various potential compromises.

Impact Summary: Attackers making use of these vulnerabilities may achieve
key-equivalent functionality for a given CMS recipient and/or bypass integrity
validation for a given message.

In one use case, an attacker may send a CMS message containing
AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL
erroneously allows this selection, and attempts to decrypt and validate the
message.

An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData
addressed to the victim can re-emit it with the recipientInfos set left
byte-for-byte intact, so the victim's private key still unwraps the genuine CEK
(the content-encryption key), but with the inner OID rewritten to AES-256-OFB
(Output Feedback Mode, an unauthenticated keystream mode) and with an
attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the
real CEK, never consults the MAC field, and CMS_decrypt() returns success.

If the application under attack responds to the attacker with any indicator
showing success or failure of the decryption effort, it is possible for the
attacker to use this as an oracle to obtain key equivalent functionality for the
CEK used for the chosen recipient of the message.

In another use case, an attacker can reduce the tag length of the chosen AEAD
cipher for a given AuthEnvelopedData container to be a single byte long,
allowing an attacker to brute force CMS decryption, producing an integrity
bypass for applications that trust CMS_decrypt() to reject modified content.

The FIPS modules are not affected by this issue.
Published: 2026-06-09
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenSSL’s CMS implementation fails to properly validate the cipher algorithm and tag length fields in AuthEnvelopedData messages, a classic example of CWE‑130 and CWE‑354, which concern inappropriate validation of cryptographic parameters and algorithm specifications. This flaw allows an attacker to forge a CMS message that specifies a non‑authenticated cipher or a shortened tag length. The library will still decrypt the message and report success, giving the attacker decryption capability for a legitimate recipient key or allowing an integrity bypass if the application trusts CMS_decrypt to reject modified content.

Affected Systems

The vulnerability affects the OpenSSL library in any configuration that processes CMS data. No specific product versions are listed by the CNA; therefore any OpenSSL installation that implements the CMS API could be impacted. The FIPS modules are explicitly stated to be unaffected.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical level of impact, while the EPSS score of <1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an on‑path attacker who can intercept, modify, or replay CMS traffic, but once the flaw is leveraged the attacker can obtain key‑equivalent functionality or bypass integrity checks, which poses significant confidentiality and integrity risks.

Generated by OpenCVE AI on June 11, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenSSL to the latest release that includes the security commits referenced in the advisory, ensuring that all CMS processing uses the patched source code.
  • Rebuild or relink any software that links to OpenSSL so the updated library is loaded at compile and runtime, verifying that no legacy CMS handling code remains.
  • If an immediate upgrade is infeasible, implement a defensive filter that inspects AuthEnvelopedData messages for proper cipher selection and tag length validation consistent with CWE‑354, rejecting any message that does not use an authenticated AEAD cipher or that specifies an invalid tag length.

Generated by OpenCVE AI on June 11, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
Ubuntu USN Ubuntu USN USN-8414-2 OpenSSL vulnerabilities
History

Mon, 15 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:*

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.
Title CMS AuthEnvelopedData Processing May Accept Forged Messages
Weaknesses CWE-354
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-10T15:58:52.695Z

Reserved: 2026-03-26T09:29:36.013Z

Link: CVE-2026-34182

cve-icon Vulnrichment

Updated: 2026-06-10T15:56:46.661Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:04.857

Modified: 2026-06-15T18:13:05.717

Link: CVE-2026-34182

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-34182 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T02:30:02Z

Weaknesses
  • CWE-130

    Improper Handling of Length Parameter Inconsistency

  • CWE-354

    Improper Validation of Integrity Check Value