Description
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV
(RFC 8452) mishandle the authentication of AAD (Additional Authenticated
Data) with an empty ciphertext allowing a forgery of such messages.

Impact summary: An attacker can forge empty messages with arbitrary AAD
to the victim's application using these ciphers.

AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD
modes: they accept a key, nonce, optional AAD (bytes that are authenticated
but not encrypted), and plaintext, and produces ciphertext plus a 16-byte
tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only
if the tag is verified succesfully.

In OpenSSL's provider implementation of these ciphers, the expected tag is
computed only when decryption function is invoked with non-empty data.
If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without
invocation of the ciphertext update, which can happen when the received
ciphertext length is zero, the tag is never recalculated and still holds its
all-zeros value.

When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty
ciphertext, and all-zeros tag passes authentication under any key they do not
know, single-shot. When AES-SIV is used, for mounting the attack it's
necessary for the application to reuse the decryption context without
resetting the key.

AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since
OpenSSL 3.2.

No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support
either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must
implement their own protocol and use the EVP interface. Also they must skip the
ciphertext update when a message with an empty ciphertext arrives.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as these algorithms are not FIPS approved and the affected code is
outside the OpenSSL FIPS module boundary.
Published: 2026-06-09
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates in OpenSSL's provider implementation of AES‑SIV and AES‑GCM‑SIV. When a decryption context receives AAD but no ciphertext update, the library preserves an all‑zeros authentication tag rather than recomputing it. An attacker can therefore transmit a message containing arbitrary AAD, an empty ciphertext, and a zero‑tag; the decryption routine will accept the message and return success, violating the integrity guarantees of these AEAD modes. The vulnerability confines itself to messages that omit any ciphertext bytes; it does not require knowledge of the encryption key to succeed for AES‑GCM‑SIV, and for AES‑SIV it requires the application to reuse a decryption context without resetting the key. The result is the ability to forge empty messages with any chosen additional authenticated data.

Affected Systems

This issue affects the OpenSSL provider layers of AES‑SIV (introduced in OpenSSL 3.0) and AES‑GCM‑SIV (introduced in OpenSSL 3.2). The FIPS modules, covering OpenSSL 4.0, 3.6, 3.5, 3.4, and 3.0, are not impacted because the vulnerable code lies outside the FIPS boundary. No OpenSSL‑internally defined protocols (TLS, CMS, PKCS#7, HPKE, QUIC) use these ciphers, so the flaw only affects applications that implement their own protocols and call the EVP interface directly. When such applications allow an empty ciphertext to be processed, they become susceptible to forgery.

Risk and Exploitability

EPSS information is unavailable and the flaw is not listed in CISA’s KEV catalog, suggesting no confirmed widespread exploitation. Nevertheless, if an application in the wild accepts empty ciphertexts and passes them directly to EVP_DecryptFinal_ex, an attacker can craft a forged message that the application will treat as authentic. The attack requires sending a message consisting of AAD, an empty ciphertext, and a zero tag; the flow must match the described decryption path for the forgery to succeed. The risk level is therefore contingent on how broadly the affected ciphers are used in client code, but the potential impact is high because the attacker can impersonate legitimate messages without knowing the encryption key.

Generated by OpenCVE AI on June 9, 2026 at 22:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSSL to a version that contains the patch, such as 3.3.0 or later.
  • Modify the application logic to verify that ciphertext length is greater than zero before invoking EVP_DecryptFinal_ex; if the length is zero, reject the message or reset the decryption context and force a decryption update even when no data is present.
  • Ensure that AES‑SIV contexts are not reused without resetting the key; create a fresh context for each message or reset it after processing.

Generated by OpenCVE AI on June 9, 2026 at 22:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.
Title Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes
Weaknesses CWE-325
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-09T18:49:07.756Z

Reserved: 2026-05-12T14:34:06.277Z

Link: CVE-2026-45446

cve-icon Vulnrichment

Updated: 2026-06-09T18:48:27.735Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:19.137

Modified: 2026-06-09T20:16:58.340

Link: CVE-2026-45446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:15:15Z

Weaknesses