CVE-2026-22795
Description
Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file.
Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service.
A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read.
The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A type confusion in OpenSSL PKCS#12 parsing causes an invalid or NULL pointer dereference, leading to a denial of service when processing a malformed file.
Vulnerability
Overview
CVE-2026-22795 is a type confusion vulnerability in OpenSSL's PKCS#39;s PKCS#12 parsing code. The root cause is that an ASN1_TYPE union member is accessed without first validating the type validation, leading to an invalid or NULL or invalid pointer dereference on memory read [2]. This occurs when an application processes a malformed PKCS#12 file.
Exploitation
Details
Exploitation
Exploitation requires a user or application to process a maliciously crafted PKCS#12 file [2]. The invalid pointer read is constrained to a 1-byte address space (0x00-0xFF), which corresponds to the zero page. On most modern operating systems, this page is unmapped, causing a reliable crash and denial of service [2]. The attack surface is limited because PKCS#12 files are typically used to store trusted private keys and exchange trusted private keys, making it uncommon to accept untrusted files [2].
Impact
Successful exploitation results in a denial of service due to a crash from the invalid pointer dereference [2]. The vulnerability does not allow arbitrary code execution because the pointer manipulation is confined to the unmapped memory [2].
Mitigation
OpenSSL versions 3.6, 3.5, 3.4, 3.3, 3. 3.0, and 1.1.1 are vulnerable [2]. The FIPS modules in 3.0, and 1.1.1 are vulnerable [2]. The FIPS modules in 3.5, 3.4, 3.3, and 3.4, 3.3, and 3.0 are not affected because PKCS#12 processing is outside the FIPS module boundary [2]. OpenSSL 1.0.2 is not affected [2]. Patches have been released to fix the issue [2]. Siemens has also listed affected products in advisory SSA-265688 [1]. Patches have been released to fix the issue [2]. Siemens has also listed affected products in advisory SSA-265688 [1]. Patches have been released to fix the issue [2]. Patches have been released to fix the issue [2]. Siemens has also listed affected products in advisory SSA-265688 [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
23.0-POST-CLANG-FORMAT-WEBKIT, 3.0-PRE-CLANG-FORMAT-WEBKIT, 3.3-POST-CLANG-FORMAT-WEBKIT, …+ 1 more
- (no CPE)range: 3.0-POST-CLANG-FORMAT-WEBKIT, 3.0-PRE-CLANG-FORMAT-WEBKIT, 3.3-POST-CLANG-FORMAT-WEBKIT, …
- (no CPE)range: 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4nvdPatch
- github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49nvdPatch
- github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12nvdPatch
- github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373envdPatch
- github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2nvdPatch
- openssl-library.org/news/secadv/20260127.txtnvdVendor Advisory
- cert-portal.siemens.com/productcert/html/ssa-265688.htmlnvd
News mentions
0No linked articles in our index yet.