CVE-2026-42765

Vulnerability

A NULL pointer dereference occurs in OpenSSL when partial-chain certificate verification is enabled alongside OCSP response checking for the entire chain, and the verified chain does not contain a self-signed trusted anchor. This condition causes the process to crash. The vulnerability affects applications that explicitly enable both X509_V_FLAG_OCSP_RESP_CHECK_ALL and X509_V_FLAG_PARTIAL_CHAIN flags, as both are disabled by default. This issue does not affect FIPS modules [1].

Exploitation

An attacker can trigger this vulnerability by providing a crafted certificate chain that satisfies the specific configuration requirements: partial-chain verification enabled, OCSP response checking for the whole chain enabled, and the absence of a self-signed trusted anchor in the verified chain. When the code attempts to access the issuer of the last certificate in such a chain, it encounters a NULL pointer, leading to a dereference and crash [1].

Impact

Successful exploitation of this vulnerability results in a NULL pointer dereference, which causes the affected application process to crash. This leads to a Denial of Service (DoS) for the application, making it unavailable to legitimate users [1].

Mitigation

OpenSSL 4.0 users should upgrade to OpenSSL 4.0.1. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.3. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.7. OpenSSL 3.4 users should upgrade to OpenSSL 3.4.6. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.21. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1zh (premium support customers only). OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zq (premium support customers only) [1].