CVE-2026-42768

Vulnerability

The CMS_decrypt and PKCS7_decrypt functions in OpenSSL are vulnerable to Bleichenbacher-style attacks. This vulnerability occurs when an attacker can provide CMS or S/MIME messages and observe error codes or decryption output. The attack is possible in two variants: when the decryption API is used without a recipient certificate, causing OpenSSL to iterate over all KeyTransRecipientInfo entries instead of stopping at the first success, or when a random key is substituted if the recipient is not found and the attacker can compare error codes and decryption results. OpenSSL versions 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2 are affected [1].

Exploitation

An attacker can exploit this vulnerability by crafting a message with two KeyTransRecipientInfo entries, where the first wraps a real content-encryption key (CEK) under the victim's public key, and the second contains an arbitrary probe ciphertext. If the application's error code is observable, the attacker can iterate the second KeyTransRecipientInfo to obtain a valid PKCS#1 v1.5 padding, creating a Bleichenbacher oracle. Alternatively, if the decryption API is provided with a recipient certificate but the recipient is not found, a random key is substituted, and an attacker observing both error codes and decryption results can also mount a Bleichenbacher oracle [1].

Impact

Successful exploitation of this vulnerability allows an attacker to use the victim's vulnerable application as an oracle to decrypt arbitrary RSA ciphertexts or forge arbitrary PKCS#1 v1.5 signatures using the victim's private RSA key. The severity is considered Low because the existence of applications that provide an attacker with the necessary conditions to mount this attack is considered very unlikely [1].

Mitigation

To mitigate these attacks, OpenSSL has updated the EVP_PKEY_decrypt() function to use an implicit rejection mechanism when RSA PKCS#1 v1.5 Key Transport is in use, as described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases, this implicit rejection was explicitly disabled. OpenSSL 4.0 users should upgrade to OpenSSL 4.0.1, 3.6 users to 3.6.3, 3.5 users to 3.5.7, 3.4 users to 3.4.6, 3.0 users to 3.0.21, 1.1.1 users to 1.1.1zh, and 1.0.2 users to 1.0.2zq [1].