CVE-2026-42767

Vulnerability

A NULL pointer dereference occurs in OpenSSL CMP clients when processing a crafted CMP response. Specifically, a CRMF CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field triggers the dereference. Applications that process untrusted CMP/CRMF messages are affected. The FIPS modules in versions 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected as the vulnerable code is outside the FIPS module boundary [1].

Exploitation

An attacker controlling a CMP server or acting as a man-in-the-middle can craft a malicious CMP response. This response must contain a CRMF CertRepMessage with an EncryptedValue structure where the symmAlg field is present with an algorithm OID but lacks a parameters field. When an affected OpenSSL CMP client attempts to process this malformed response, the NULL pointer dereference will occur.

Impact

The NULL pointer dereference causes the CMP client application to crash, resulting in a Denial of Service. The scope of the impact is limited to the specific application instance processing the malicious CMP response.

Mitigation

Not yet disclosed in the available references. The provided reference [1] details a different vulnerability (CVE-2026-45447) and its mitigations, but does not provide patching information for the NULL pointer dereference in CMP clients.