CVE-2026-42769

Vulnerability

An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual. A typo in the certificate chain building code led to adding an incorrect certificate to the chain, meaning only the issuer name and algorithm OIDs were verified. This affects OpenSSL versions prior to the patched releases, excluding FIPS modules. [1]

Exploitation

An attacker with valid Registration Authority (RA) level credentials can generate a new key pair and use a crafted self-signed certificate in its id-it-rootCaKeyUpdate CMP messages. Affected CMP clients would accept this crafted certificate as a new trust anchor, effectively replacing the root CA certificate for CMP clients with an arbitrary root CA certificate. [1]

Impact

The Registration Authority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. This allows an attacker to escalate credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. [1]

Mitigation

OpenSSL versions prior to the patched releases are vulnerable. Specific patched versions are expected to be released. The FIPS modules are not affected. [1]