Description
Issue summary: A specially crafted password-encrypted CMS message
can trigger a NULL pointer dereference during CMS decryption.

Impact summary: This NULL pointer dereference leads to an application crash
and a Denial of Service.

The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as
OPTIONAL in the ASN.1 specification and may therefore be absent in specially
crafted inputs. During the password-based CMS decryption the OpenSSL
CMS implementation dereferences this field without first checking whether it
was present.

An attacker who supplies such a CMS message to an application performing
password-based CMS decryption can trigger an application crash, leading to
a Denial of Service.

Applications that process password-encrypted CMS messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A nullable field in the CMS password recipient structure allows a crafted encrypted message to cause OpenSSL to dereference a NULL pointer during decryption, leading to an application crash and service interruption. The flaw is located in the function that processes the optional keyDerivationAlgorithm attribute, which is omitted in improperly formed inputs.

Affected Systems

The vulnerability affects OpenSSL libraries that include the CMS decryption implementation. Only the FIPS modules (versions 4.0, 3.6, 3.5, 3.4, and 3.0) are exempted, as the affected code lies outside the FIPS boundary. Applications that invoke password‑based CMS decryption using any non‑FIPS build of OpenSSL are susceptible.

Risk and Exploitability

EPSS information is not available and the vulnerability is not listed in CISA KEV, indicating no confirmed public exploitation yet. However, an attacker can remotely supply a malformed CMS message to any service that performs password-based decryption, trigger the crash, and cause a denial of service. The CVSS score is 5.9, indicating a medium‑severity denial of service scenario.

Generated by OpenCVE AI on June 9, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the newest OpenSSL release that incorporates the fix identified in the security commits.
  • If an immediate upgrade is infeasible, add pre‑decryption validation in the application to confirm the presence of the keyDerivationAlgorithm field before calling the OpenSSL CMS decryption routine.
  • After applying the update or validation, validate the affected services with an internal penetration test that supplies malformed CMS messages to confirm the denial of service attack has been mitigated.

Generated by OpenCVE AI on June 9, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
Ubuntu USN Ubuntu USN USN-8414-2 OpenSSL vulnerabilities
History

Wed, 10 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Title Possible NULL Dereference in Password-Based CMS Decryption
Weaknesses CWE-476
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-10T07:48:01.992Z

Reserved: 2026-04-29T09:22:27.968Z

Link: CVE-2026-42766

cve-icon Vulnrichment

Updated: 2026-06-09T19:46:17.520Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:07.970

Modified: 2026-06-10T08:16:23.520

Link: CVE-2026-42766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:15Z

Weaknesses