CVE-2026-34182

Vulnerability

OpenSSL's Cryptographic Message Services (CMS) processing fails to validate cipher and tag length fields in AuthEnvelopedData containers. This affects OpenSSL versions 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2. The FIPS modules are not affected [1].

Exploitation

An on-path attacker can capture a legitimate AES-GCM AuthEnvelopedData message and re-emit it with the recipient information intact but with an altered inner OID to a non-AEAD cipher like AES-256-OFB, along with a chosen IV and ciphertext. If the application provides feedback on decryption success or failure, the attacker can use this as an oracle to gain key-equivalent functionality for the content-encryption key. Alternatively, an attacker can reduce the tag length to a single byte, enabling brute-force decryption and bypassing integrity checks for applications that trust CMS_decrypt() to reject modified content [1].

Impact

Attackers can achieve key-equivalent functionality for a given CMS recipient, allowing them to decrypt messages intended for that recipient. They can also bypass integrity validation for messages, potentially leading to the acceptance of modified content. The specific impact depends on the application's response to decryption attempts and its trust in CMS integrity checks [1].

Mitigation

OpenSSL 4.0 users should upgrade to OpenSSL 4.0.1. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.3. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.7. OpenSSL 3.4 users should upgrade to OpenSSL 3.4.6. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.21. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1zh (premium support customers only). OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zq (premium support customers only) [1].