Description
Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to
Bleichenbacher-style attack when an attacker is able to provide the CMS or
S/MIME messages and observe the error code and/or decryption output.

Impact summary: The Bleichenbacher-style attack allows an attacker to use the
victim's vulnerable application as a way to decrypt or sign messages with the
victim's private RSA key.

The attack is possible in 2 variants.

1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without
providing the recipient certificate. In this case OpenSSL iterates over every
KeyTransRecipientInfo (KTRI) without stopping at the first success.

An attacker who authors a message with two KTRI entries — the first one
wrapping a real CEK under the victim's public key, the second with an
arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to
get a valid PKCS#1 v1.5 padding if the error code of the application is
available.

That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an
adaptive-chosen-ciphertext side channel from which the attacker decrypts any
RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under
it.

2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with
the recipient certificate, and the recipient is not found, a random
key is substituted.

An attacker who authors a message and is able to compare both error code and
the result of the decryption, can mount a Bleichenbacher oracle.

We are not aware of any applications that provide a remote attacker
an opportunity to mount an attack described in these scenarios. We consider
the existence of such application very unlikely, and for this reason this
CVE has been evaluated as Low severity.

To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the
invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described
in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit
rejection was explicitly disabled.

The implicit rejection mechanism always returns a plaintext value,
the symmetric key. This result is deterministic for the ciphertext and the
private key. The length of the decryption result can happen to match the
length of the key of the symmetric cipher that was used for the content
encryption. When a certificate is not provided, the last RecipientInfo
producing a key that looks valid will be used. It may cause getting garbage
content on decryption. As a proper way to deal with this a recipient
certificate has to be provided to identify the particular RecipientInfo for
decryption.

The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as
CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.
Published: 2026-06-09
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CMS_decrypt() and PKCS7_decrypt() functions in OpenSSL can be abused by a Bleichenbacher‑style adaptive‑chosen‑ciphertext attack when an attacker can supply CMS or S/MIME messages and observe error codes or decryption output. The vulnerability allows an attacker to iterate over all KeyTransRecipientInfo entries or over the single RecipientInfo when a certificate is missing, producing a valid PKCS#1 v1.5 padding and effectively decrypting any RSA ciphertext with the victim’s private key or forging a PKCS#1 v1.5 signature. This directly compromises both confidentiality and integrity of encrypted or signed data.

Affected Systems

The flaw exists in all OpenSSL releases before the commit series that implements the implicit rejection mechanism for RSA PKCS#1 v1.5 key transport. The advisory does not list specific version ranges; it applies to builds that have not yet incorporated the referenced patches. The FIPS modules (4.0, 3.6, 3.5, 3.4) are not impacted because CMS and S/MIME processing occurs outside the FIPS module boundary.

Risk and Exploitability

The CVSS score of 3.7 indicates low severity and the EPSS score of <1% denotes a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply crafted messages and observe error or output differences, which is unlikely for typical deployments where CMS or S/MIME decryption APIs are not exposed to remote input. If an application does expose these APIs, the risk could increase sharply, but the current evidence indicates a low exploitation probability.

Generated by OpenCVE AI on June 11, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest OpenSSL release that includes the implicit rejection mechanism for RSA PKCS#1 v1.5 key transport (see the patched commits referenced in the advisory).
  • When calling CMS_decrypt() or PKCS7_decrypt(), always provide the recipient’s certificate to avoid looping over multiple RecipientInfo entries.
  • If upgrading immediately cannot be performed, reconfigure the application to reject CMS or S/MIME messages that contain more than one RecipientInfo entry and disable RSA PKCS#1 v1.5 key transport in favor of OAEP or a stronger key‑transport scheme.

Generated by OpenCVE AI on June 11, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:*

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-205
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 10 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
References

Wed, 10 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.
Title Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()
Weaknesses CWE-514
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-10T07:48:04.770Z

Reserved: 2026-04-29T09:22:27.969Z

Link: CVE-2026-42768

cve-icon Vulnrichment

Updated: 2026-06-09T19:40:13.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:08.223

Modified: 2026-06-16T02:58:12.833

Link: CVE-2026-42768

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-09T00:00:00Z

Links: CVE-2026-42768 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T03:00:04Z

Weaknesses