CVE-2026-42766

Vulnerability

A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference in the OpenSSL CMS implementation during password-based decryption. This occurs because the keyDerivationAlgorithm field, which is OPTIONAL in the ASN.1 specification, is dereferenced without a prior check for its presence. Applications processing password-encrypted CMS messages are affected. The FIPS modules in versions 4.0, 3.6, 3.5, 3.4, and 3.0 are not vulnerable as the affected code is outside the FIPS module boundary [1].

Exploitation

An attacker needs to supply a specially crafted, password-encrypted CMS message to an application that performs password-based CMS decryption. The attacker does not require any specific network position or authentication, nor is user interaction necessary. The vulnerability is triggered solely by the malformed input during the decryption process [1].

Impact

Successful exploitation of this vulnerability leads to an application crash, resulting in a Denial of Service (DoS). The attacker can disrupt the availability of services that rely on password-based CMS decryption within the affected applications [1].

Mitigation

OpenSSL versions 4.0, 3.6, 3.5, 3.4, and 3.0 are affected. Specific patched versions are not detailed in the provided references for this particular CVE. Users should consult the OpenSSL security advisory for the most up-to-date information on patches and affected versions [1].