Description
Issue Summary: An error in the callback used to verify the certificate
provided in a Root CA key update Certificate Management Protocol (CMP)
message response rendered the certificate validation ineffectual, which
could lead to escalation of credentials from the Registration Authority (RA)
level to the root Certification Authority (root CA) level.

Impact Summary: The Registration Autority could replace the root CA
certificate for the CMP clients with an arbitrary root CA certificate.

One of the parts of the Certificate Management Protocol (CMP), specified in
RFC 9810, is Root Certification Authority (root CA) key Rollover,
which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'.
As part of these messages, 'newWithOld' certificate, the new root CA
certificate signed with the old root CA key, is provided, and verifying its
signature is crucial for transferring the trust from the old CA key to the
new one.

The 'id-it-rootCaKeyUpdate' messages are expected to be processed with
OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld'
certificate. A typo in the certificate chain building code led to adding
an incorrect certificate ('newWithOld' instead of 'oldRoot') to the
certificate chain, rendering the certificate verification process ineffectual
(only the issuer name and the algorithm OIDs were verified by other parts
of the verification code).

An attacker who already has credentials that satisfy the CMP message
protection checks can generate a new key pair and use a crafted self-signed
certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP
clients would accept as a new trust anchor.

Significant preconditions for the attack (having valid RA-level credentials)
are the reason the issue was assigned Low severity.

The FIPS modules are not affected by this issue, as the affected code is
outside the OpenSSL FIPS module boundary.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During a CMP root check‑key‑update, a typo in the certificate chain builder caused OpenSSL to add the new certificate itself instead of the old root CA certificate, rendering the chain verification ineffective. An attacker with valid registration authority credentials can therefore craft a CMP message containing a self‑signed certificate that the client will accept as a new trust anchor, achieving a trust‑anchor substitution. The vulnerability is a classic CWE‑295 misuse of certificate validation.

Affected Systems

The issue affects the OpenSSL library in every release that implements the Certificate Management Protocol (CMP) root CaKeyUpdate functionality. No particular version is excluded in the available data, so all OpenSSL builds with CMP support are potentially vulnerable.

Risk and Exploitability

The CVSS score is 5.3, and the EPSS score is not available; the vulnerability is not listed in the CISA KEV catalog. Because the attack requires already‑in‑hand registration‑authority credentials, the likelihood of exploitation in the wild is limited, but the impact would be profound: the entire trust chain could be subverted for a compromised client. The potential attack vector would be an authenticated CMP session where the attacker sends a forged root‑CA‑update message over the network.

Generated by OpenCVE AI on June 9, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenSSL to the latest release that includes the fix for the certificate chain building typo. This is the official patch available in the referenced commit history.
  • If updating OpenSSL is not immediately possible, disable or block CMP rootCaKeyUpdate messages on clients that do not require key rollover capability, preventing the vulnerable path from being exercised.
  • Restrict and audit Registration Authority credentials: limit who can authenticate to CMP, ensure use of strong tokens, and perform regular reviews to detect unauthorized RA‑level access.

Generated by OpenCVE AI on June 9, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Title Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate
Weaknesses CWE-295
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-09T19:38:05.632Z

Reserved: 2026-04-29T09:22:27.969Z

Link: CVE-2026-42769

cve-icon Vulnrichment

Updated: 2026-06-09T19:37:50.572Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:08.377

Modified: 2026-06-09T21:17:17.790

Link: CVE-2026-42769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:15:15Z

Weaknesses