Description
Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to
Bleichenbacher-style attack when an attacker is able to provide the CMS or
S/MIME messages and observe the error code and/or decryption output.

Impact summary: The Bleichenbacher-style attack allows an attacker to use the
victim's vulnerable application as a way to decrypt or sign messages with the
victim's private RSA key.

The attack is possible in 2 variants.

1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without
providing the recipient certificate. In this case OpenSSL iterates over every
KeyTransRecipientInfo (KTRI) without stopping at the first success.

An attacker who authors a message with two KTRI entries — the first one
wrapping a real CEK under the victim's public key, the second with an
arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to
get a valid PKCS#1 v1.5 padding if the error code of the application is
available.

That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an
adaptive-chosen-ciphertext side channel from which the attacker decrypts any
RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under
it.

2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with
the recipient certificate, and the recipient is not found, a random
key is substituted.

An attacker who authors a message and is able to compare both error code and
the result of the decryption, can mount a Bleichenbacher oracle.

We are not aware of any applications that provide a remote attacker
an opportunity to mount an attack described in these scenarios. We consider
the existence of such application very unlikely, and for this reason this
CVE has been evaluated as Low severity.

To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the
invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described
in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit
rejection was explicitly disabled.

The implicit rejection mechanism always returns a plaintext value,
the symmetric key. This result is deterministic for the ciphertext and the
private key. The length of the decryption result can happen to match the
length of the key of the symmetric cipher that was used for the content
encryption. When a certificate is not provided, the last RecipientInfo
producing a key that looks valid will be used. It may cause getting garbage
content on decryption. As a proper way to deal with this a recipient
certificate has to be provided to identify the particular RecipientInfo for
decryption.

The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as
CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.
Published: 2026-06-09
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CMS_decrypt() and PKCS7_decrypt() functions in OpenSSL are susceptible to Bleichenbacher‑style adaptive‑chosen‑ciphertext attacks when an attacker can supply CMS or S/MIME messages and observe error codes or decryption results. The attack logic branches on whether a recipient certificate is provided and iterates over all RecipientInfo entries, allowing an attacker to extract the victim’s private RSA key for decryption or to forge a PKCS#1 v1.5 signature. This vulnerability directly compromises confidentiality and integrity of encrypted or signed messages.

Affected Systems

The problem exists in OpenSSL libraries that do not yet implement the implicit rejection mechanism for RSA PKCS#1 v1.5 key transport. No specific version range is supplied in the advisory; it applies to releases lacking the patch shipped in the referenced commits. Systems running earlier OpenSSL builds that still use this key transport method are at risk.

Risk and Exploitability

The CVSS score of 3.7 indicates low severity, EPSS is not available, and KEV does not list the vulnerability. This suggests that exploitation density is currently low. However, the attack requires an attacker to supply messages and observe error or output differences, which is unlikely for typical deployments. If an application exposes the CMS or PKCS#7 decryption APIs in a way that a remote attacker can supply data, the risk rises sharply, as the attacker could effectively use the victim’s RSA private key for decryption or signature forgery.

Generated by OpenCVE AI on June 9, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest OpenSSL release that implements implicit rejection for RSA PKCS#1 v1.5 key transport (see the patched commits referenced in the advisory).
  • When calling CMS_decrypt() or PKCS7_decrypt(), always provide the recipient’s certificate so that only the intended RecipientInfo is processed and the loop over multiple entries is avoided.
  • If upgrading immediately cannot be performed, reconfigure the application to reject CMS or S/MIME messages containing multiple RecipientInfo entries and disable RSA PKCS#1 v1.5 key transport in favor of OAEP or a stronger key‑transport scheme.

Generated by OpenCVE AI on June 9, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
History

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.
Title Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()
Weaknesses CWE-514
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-09T19:40:22.532Z

Reserved: 2026-04-29T09:22:27.969Z

Link: CVE-2026-42768

cve-icon Vulnrichment

Updated: 2026-06-09T19:40:13.927Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:08.223

Modified: 2026-06-09T21:17:17.587

Link: CVE-2026-42768

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:15Z

Weaknesses