CVE-2026-45445

Vulnerability

An issue exists in OpenSSL where the AES-OCB cipher context, when driven through the EVP_Cipher() one-shot interface, silently discards the application-supplied initialization vector (IV). This affects all versions of OpenSSL that use this interface for AES-OCB, except for those within the FIPS modules of versions 4.0, 3.6, 3.5, 3.4, and 3.0. The OpenSSL SSL/TLS implementation is not affected as AES-OCB is not a TLS cipher suite and libssl does not call EVP_Cipher() [1].

Exploitation

An attacker can exploit this vulnerability if an application uses the AES-OCB cipher with the EVP_Cipher() one-shot API. The vulnerability is triggered by any message encrypted under the same key using this specific interface. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing for forgery [1].

Impact

Successful exploitation results in the loss of confidentiality because every message encrypted under the same key effectively reuses the same nonce, regardless of the IV supplied by the caller. Furthermore, if the authentication tag is computed, an attacker can achieve universal forgery of arbitrary ciphertext from a single captured message, as the tag depends solely on the (key, IV) pair [1].

Mitigation

Applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. OpenSSL versions 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2 are affected. Users should upgrade to patched versions: OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, 3.0.21, 1.1.1zh (premium support), or 1.0.2zq (premium support) [1]. Applications using the streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected.