OpenSSL Project: 18 Vulnerabilities Disclosed Together on June 9, 2026
OpenSSL Project released patches for 18 vulnerabilities, including high-severity flaws affecting CMS, PKCS#7, and QUIC processing, disclosed simultaneously on June 9, 2026.
Key findings
- 18 vulnerabilities disclosed simultaneously for OpenSSL on June 9, 2026.
- High-severity CVE-2026-45447 allows potential remote code execution via PKCS#7 verification flaw.
- Multiple vulnerabilities affect CMS and PKCS#7 processing, including forgery and DoS risks.
- QUIC protocol handling issues can lead to heap exhaustion and denial of service.
- Flaws in ASN.1 parsing and certificate validation also disclosed, with varied impacts.
- Users are urged to update to patched OpenSSL versions immediately.
OpenSSL Project Addresses 18 Vulnerabilities in Simultaneous Disclosure
On June 9, 2026, the OpenSSL Project disclosed a significant batch of 18 vulnerabilities affecting its widely used cryptography library. These issues, all published on the same day, span a range of critical functions including cryptographic message syntax (CMS), PKCS#7 processing, and the QUIC protocol, with potential impacts ranging from denial of service to remote code execution.
Cryptographic Message Syntax (CMS) and PKCS#7 Flaws
A notable cluster of vulnerabilities impacts the handling of CMS and PKCS#7 messages. CVE-2026-45447, identified as a high-severity heap use-after-free bug, can be triggered by a specially crafted PKCS#7 or S/MIME signed message during signature verification, potentially leading to remote code execution. This vulnerability was discovered in collaboration with AI tools. Similarly, CVE-2026-45446 and CVE-2026-34182 highlight mishandling of authentication data in AES-SIV and AES-GCM-SIV implementations, allowing for message forgery. Other CMS-related issues include CVE-2026-45445, where initialisation vectors are silently discarded in AES-OCB mode, and CVE-2026-9076, a heap out-of-bounds read during password-based decryption. CVE-2026-42768 describes a Bleichenbacher-style attack vulnerability in CMS decryption, and CVE-2026-42766 points to a NULL pointer dereference when processing password-encrypted CMS messages. Furthermore, CVE-2026-34181 involves a flaw in PKCS#12 file processing with PBMAC1 integrity, potentially enabling certificate and private key forgery.
QUIC and TLS Protocol Vulnerabilities
The disclosure also includes several vulnerabilities related to the QUIC protocol and TLS extensions. CVE-2026-34183 details how a malicious peer can exhaust heap memory of QUIC servers or clients by flooding them with packets containing PATH_CHALLENGE frames, leading to denial of service. CVE-2026-42764 addresses a NULL pointer dereference in OpenSSL's QUIC server when receiving an initial packet with an invalid token, also resulting in denial of service. On the TLS side, CVE-2026-35188 describes a double-free vulnerability in the client's certificate verification path when handling crafted TLS OCSP stapling responses, which could lead to heap corruption.
Other Cryptographic and ASN.1 Issues
Several other vulnerabilities affect core cryptographic operations and data parsing. CVE-2026-7383 involves a signed integer overflow leading to a heap buffer overflow when sizing destination buffers for Unicode output in ASN1_mbstring_ncopy(). CVE-2026-42771 details an out-of-bounds read when validating crafted email addresses using X509_VERIFY_PARAM_set1_email. CVE-2026-42770 highlights a missing check for subgroup membership when EVP_PKEY_derive_set_peer() is called with a DHX peer key, potentially allowing a malicious peer to manipulate the key exchange. CVE-2026-42769 describes an error in certificate validation callbacks for Root CA key updates in CMP messages, potentially leading to credential escalation. Finally, CVE-2026-34180 points to a heap buffer over-read on 64-bit Unix-like platforms when parsing extremely large DER-encoded ASN.1 structures.
Response and Impact
The OpenSSL Project has released updated versions to address all 18 vulnerabilities. Users are strongly advised to update to the patched versions as soon as possible to mitigate the risks associated with these flaws. The simultaneous disclosure of such a large number of vulnerabilities underscores the importance of timely patching and security updates for critical infrastructure components like OpenSSL.
This extensive batch of vulnerabilities highlights potential weaknesses across various cryptographic protocols and data handling mechanisms within OpenSSL. The range of impacts, from denial of service to potential remote code execution, necessitates prompt attention from all users of the library.