CVE-2026-42766

EUVD-2026-35483

09.06.2026, 17:17

Issue summary: A specially crafted password-encrypted CMS message
can trigger a NULL pointer dereference during CMS decryption.

Impact summary: This NULL pointer dereference leads to an application crash
and a Denial of Service.

The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as
OPTIONAL in the ASN.1 specification and may therefore be absent in specially
crafted inputs. During the password-based CMS decryption the OpenSSL
CMS implementation dereferences this field without first checking whether it
was present.

An attacker who supplies such a CMS message to an application performing
password-based CMS decryption can trigger an application crash, leading to
a Denial of Service.

Applications that process password-encrypted CMS messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
openssl	CNA	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
openssl	openssl	4.0.0 ≤ 𝑥 < 4.0.1	CNA
openssl	openssl	3.6.0 ≤ 𝑥 < 3.6.3	CNA
openssl	openssl	3.5.0 ≤ 𝑥 < 3.5.7	CNA
openssl	openssl	3.4.0 ≤ 𝑥 < 3.4.6	CNA
openssl	openssl	3.0.0 ≤ 𝑥 < 3.0.21	CNA

Debian Releases

Debian Product

Codename

openssl

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable
trixie (security)	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

openssl

bionic	Fixed 1.1.1-1ubuntu2.1~18.04.23+esm9 released
focal	Fixed 1.1.1f-1ubuntu2.24+esm4 released
jammy	Fixed 3.0.2-0ubuntu1.25 released
noble	Fixed 3.0.13-0ubuntu3.11 released
questing	Fixed 3.5.3-1ubuntu3.4 released
resolute	Fixed 3.5.5-1ubuntu3.2 released
trusty	Fixed 1.0.1f-1ubuntu2.27+esm14 released
xenial	Fixed 1.0.2g-1ubuntu4.20+esm16 released

openssl-fips

jammy	dne
noble	dne
questing	dne
resolute	dne

openssl1.0

bionic	Fixed 1.0.2n-1ubuntu5.13+esm5 released
jammy	dne
noble	dne
questing	dne
resolute	dne

nodejs

bionic	needs-triage
focal	not-affected
jammy	needed
noble	not-affected
questing	not-affected
resolute	not-affected
trusty	not-affected

edk2

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
resolute	needs-triage

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce

https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4

https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7

https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4

https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8

https://openssl-library.org/news/secadv/20260609.txt