CVE-2026-22795

EUVD-2026-4815
Issue summary: An invalid or NULL pointer dereference can happen in
an application processing a malformed PKCS#12 file.

Impact summary: An application processing a malformed PKCS#12 file can be
caused to dereference an invalid or NULL pointer on memory read, resulting
in a Denial of Service.

A type confusion vulnerability exists in PKCS#12 parsing code where
an ASN1_TYPE union member is accessed without first validating the type,
causing an invalid pointer read.

The location is constrained to a 1-byte address space, meaning any
attempted pointer manipulation can only target addresses between 0x00 and 0xFF.
This range corresponds to the zero page, which is unmapped on most modern
operating systems and will reliably result in a crash, leading only to a
Denial of Service. Exploiting this issue also requires a user or application
to process a maliciously crafted PKCS#12 file. It is uncommon to accept
untrusted PKCS#12 files in applications as they are usually used to store
private keys which are trusted by definition. For these reasons, the issue
was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
opensslopenssl
1.1.1 ≤
𝑥
< 1.1.1ze
opensslopenssl
3.0.0 ≤
𝑥
< 3.0.19
opensslopenssl
3.3.0 ≤
𝑥
< 3.3.6
opensslopenssl
3.4.0 ≤
𝑥
< 3.4.4
opensslopenssl
3.5.0 ≤
𝑥
< 3.5.5
opensslopenssl
3.6.0 ≤
𝑥
< 3.6.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
SiemensSIMATIC S7-1500 TM MFP - GNU\/Linux subsystem
𝑥
< *
ADP
Debian logo
Debian Releases
Debian Product
Codename
openssl
bookworm
3.0.20-1~deb12u1
fixed
bookworm (security)
3.0.19-1~deb12u2
fixed
bullseye
vulnerable
bullseye (security)
1.1.1w-0+deb11u5
fixed
forky
3.6.2-1
fixed
sid
3.6.2-1
fixed
trixie
3.5.6-1~deb13u1
fixed
trixie (security)
3.5.5-1~deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssl
bionic
Fixed 1.1.1-1ubuntu2.1~18.04.23+esm7
released
focal
Fixed 1.1.1f-1ubuntu2.24+esm2
released
jammy
Fixed 3.0.2-0ubuntu1.21
released
noble
Fixed 3.0.13-0ubuntu3.7
released
plucky
ignored
questing
Fixed 3.5.3-1ubuntu3
released
resolute
Fixed 3.5.5-1ubuntu1
released
trusty
not-affected
xenial
not-affected
openssl1.0
bionic
not-affected
jammy
dne
noble
dne
plucky
dne
questing
dne
resolute
dne
nodejs
bionic
needs-triage
focal
not-affected
jammy
needed
noble
not-affected
plucky
not-affected
questing
not-affected
resolute
not-affected
trusty
not-affected
xenial
ignored
edk2
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
not-affected
plucky
ignored
questing
not-affected
resolute
not-affected
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libopenssl-3-devel
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.78.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.57.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl-3-fips-provider
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl-3-fips-provider-32bit
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl3
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.78.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.57.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl3-32bit
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
openssl-3
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.78.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.57.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssl
RHEL 9
1:3.5.1-7.el9_7
fixed
openssl-devel
RHEL 9
1:3.5.1-7.el9_7
fixed
openssl-libs
RHEL 9
1:3.5.1-7.el9_7
fixed
openssl-perl
RHEL 9
1:3.5.1-7.el9_7
fixed
Common Weakness Enumeration
References
https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
https://openssl-library.org/news/secadv/20260127.txt
https://cert-portal.siemens.com/productcert/html/ssa-265688.html