CVE-2026-45446

Vulnerability

OpenSSL versions 3.0 and 3.2 are vulnerable in their provider implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) respectively. The vulnerability occurs when a caller supplies Additional Authenticated Data (AAD) and then calls EVP_DecryptFinal_ex() without updating the ciphertext, specifically when the received ciphertext length is zero. In this scenario, the tag is not recalculated and retains its initial all-zeros value, leading to a bypass of authentication [1].

Exploitation

An attacker can exploit this vulnerability by sending an empty ciphertext along with arbitrary AAD and an all-zeros tag. For AES-GCM-SIV, this attack can be mounted in a single shot without knowing the key. For AES-SIV, the attack requires the application to reuse the decryption context without resetting the key. Crucially, the application must implement its own protocol using the EVP interface and skip the ciphertext update for messages with zero-length ciphertext [1].

Impact

Successful exploitation allows an attacker to forge empty messages with arbitrary AAD to the victim's application. This means an attacker can craft messages that appear to be valid and authenticated, even without possessing the correct decryption key, leading to potential data manipulation or unauthorized actions within the application [1].

Mitigation

OpenSSL versions 3.0.21, 3.2.x (and later), 3.4.6, 3.5.7, 3.6.3, and 4.0.1 contain fixes for this issue. Users should upgrade to the fixed versions. The FIPS modules are not affected as these algorithms are not FIPS approved and the affected code is outside the FIPS module boundary [1].