CVE-2026-22796

EUVD-2026-4813
Issue summary: A type confusion vulnerability exists in the signature
verification of signed PKCS#7 data where an ASN1_TYPE union member is
accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data.

Impact summary: An application performing signature verification of PKCS#7
data or calling directly the PKCS7_digest_from_attributes() function can be
caused to dereference an invalid or NULL pointer when reading, resulting in
a Denial of Service.

The function PKCS7_digest_from_attributes() accesses the message digest attribute
value without validating its type. When the type is not V_ASN1_OCTET_STRING,
this results in accessing invalid memory through the ASN1_TYPE union, causing
a crash.

Exploiting this vulnerability requires an attacker to provide a malformed
signed PKCS#7 to an application that verifies it. The impact of the
exploit is just a Denial of Service, the PKCS7 API is legacy and applications
should be using the CMS API instead. For these reasons the issue was
assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module
boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
Affected Products (NVD)
VendorProductVersion
opensslopenssl
1.0.2 ≤
𝑥
< 1.0.2zn
opensslopenssl
1.1.1 ≤
𝑥
< 1.1.1ze
opensslopenssl
3.0.0 ≤
𝑥
< 3.0.19
opensslopenssl
3.3.0 ≤
𝑥
< 3.3.6
opensslopenssl
3.4.0 ≤
𝑥
< 3.4.4
opensslopenssl
3.5.0 ≤
𝑥
< 3.5.5
opensslopenssl
3.6.0 ≤
𝑥
< 3.6.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
SiemensSIMATIC S7-1500 TM MFP - GNU\/Linux subsystem
𝑥
< *
ADP
Debian logo
Debian Releases
Debian Product
Codename
openssl
bookworm
3.0.20-1~deb12u1
fixed
bookworm (security)
3.0.19-1~deb12u2
fixed
bullseye
vulnerable
bullseye (security)
1.1.1w-0+deb11u5
fixed
forky
3.6.2-1
fixed
sid
3.6.2-1
fixed
trixie
3.5.6-1~deb13u1
fixed
trixie (security)
3.5.5-1~deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssl
bionic
Fixed 1.1.1-1ubuntu2.1~18.04.23+esm7
released
focal
Fixed 1.1.1f-1ubuntu2.24+esm2
released
jammy
Fixed 3.0.2-0ubuntu1.21
released
noble
Fixed 3.0.13-0ubuntu3.7
released
plucky
ignored
questing
Fixed 3.5.3-1ubuntu3
released
resolute
Fixed 3.5.5-1ubuntu1
released
trusty
Fixed 1.0.1f-1ubuntu2.27+esm12
released
xenial
Fixed 1.0.2g-1ubuntu4.20+esm14
released
openssl1.0
bionic
Fixed 1.0.2n-1ubuntu5.13+esm3
released
jammy
dne
noble
dne
plucky
dne
questing
dne
resolute
dne
nodejs
bionic
needs-triage
focal
not-affected
jammy
needed
noble
not-affected
plucky
not-affected
questing
not-affected
resolute
not-affected
trusty
not-affected
xenial
ignored
edk2
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
resolute
needs-triage
xenial
ignored
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libopenssl-3-devel
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.78.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.57.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl-3-fips-provider
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl-3-fips-provider-32bit
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl3
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.78.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.57.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl3-32bit
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
openssl-3
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.78.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.57.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssl
RHEL 9
1:3.5.1-7.el9_7
fixed
openssl-devel
RHEL 9
1:3.5.1-7.el9_7
fixed
openssl-libs
RHEL 9
1:3.5.1-7.el9_7
fixed
openssl-perl
RHEL 9
1:3.5.1-7.el9_7
fixed
Common Weakness Enumeration
References
https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
https://openssl-library.org/news/secadv/20260127.txt
https://cert-portal.siemens.com/productcert/html/ssa-265688.html