Description
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)
processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK
cipher can trigger a heap out-of-bounds read in kek_unwrap_key().

Impact summary: A heap buffer over-read may trigger a crash which leads to
Denial of Service for an application if the input buffer ends at a memory
page boundary and the following page is unmapped. There is no information
disclosure as the over-read bytes are not revealed to the attacker.

The key unwrapping function performs a check-byte test as specified in the
RFC that reads 7 bytes from a heap allocation that is based on the wrapped
key length from the message. There is a minimum length check based on the
block length of the wrapping cipher. However the cipher is selected from
an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no
requirement that the cipher be a block cipher. When an attacker selects
a stream-mode cipher the guard will be ineffective and the allocated buffer
containing the unwrapped key can be too small to fit the check-bytes
specified in the RFC and a buffer over-read can happen.

Applications calling CMS_decrypt() or CMS_decrypt_set1_password()
(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS
data are vulnerable to this issue. No password knowledge is required: the
over-read happens during the unwrap attempt before any authentication
succeeds.

The over-read is limited to a few bytes and is not written to output, so
there is no information disclosure. Triggering a crash requires the
allocation to border unmapped memory, which is unlikely with the normal
allocator.

The FIPS modules are not affected by this issue.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds read occurs in the CMS password‑based decryption routine when an attacker supplies CMS data and selects a stream‑mode key‑unwrap algorithm. The key unwrapping function reads seven bytes past a heap allocation that is sized based on the wrapped key length, a guard that is ineffective for stream ciphers. This results in a small buffer over‑read that can trigger a crash if the allocation ends at an unmapped page boundary. The vulnerability does not leak data; the read bytes are never returned to the attacker. The weakness is classified as CWE‑125.

Affected Systems

The affected product is OpenSSL, specifically the CMS decryption functionality exposed through the CMS_decrypt and CMS_decrypt_set1_password APIs (and the openssl cms command). No specific version ranges are provided in the data, so any OpenSSL installation that includes the vulnerable CMS implementation is potentially impacted.

Risk and Exploitability

The exploit describes a crash rather than code execution or data disclosure. An attacker does not need to know the decryption password; the failure occurs during key unwrapping before authentication succeeds. While the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the CVSS score of 7.5 indicates a high severity risk, and the potential for denial of service in any application using CMS decryption on untrusted data makes the risk significant. Exploitation would require the attacker to provide malformed CMS data to the vulnerable library, typically through protocols or tools that invoke CMS_decrypt.

Generated by OpenCVE AI on June 9, 2026 at 22:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenSSL to a version that includes the fix for CVE‑2026‑9076 (see the referenced OpenSSL security commits).
  • If immediate update is not possible, isolate any applications that invoke CMS_decrypt from untrusted input or run them in a sandbox to contain a crash.
  • Avoid using CMS decryption on data from untrusted sources; consider disabling CMS support if it is not required for the application.

Generated by OpenCVE AI on June 9, 2026 at 22:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
Ubuntu USN Ubuntu USN USN-8414-2 OpenSSL vulnerabilities
History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.
Title Out-of-Bounds Read in CMS Password-Based Decryption
Weaknesses CWE-125
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-09T19:04:20.258Z

Reserved: 2026-05-20T12:43:37.677Z

Link: CVE-2026-9076

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:50.997

Modified: 2026-06-09T20:17:03.290

Link: CVE-2026-9076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:15:15Z

Weaknesses