CVE-2026-9076

Vulnerability

A heap out-of-bounds read vulnerability exists in OpenSSL when processing attacker-supplied CMS data using password-based decryption (RFC 3211 / PWRI key unwrap). An attacker can choose a stream-mode KEK cipher, which bypasses a minimum length check for the allocated buffer. This allows the buffer to be too small for the check-bytes required by the RFC, leading to an over-read. This affects applications calling CMS_decrypt() or CMS_decrypt_set1_password() on untrusted CMS data, including the openssl cms -decrypt -pwri_password ... command. OpenSSL versions 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2 are vulnerable [1]. The FIPS modules are not affected [1].

Exploitation

An attacker needs to provide a crafted CMS data blob to a vulnerable application. The vulnerability is triggered during the key unwrapping process before any password authentication occurs, meaning no password knowledge is required. The attacker selects a stream-mode cipher in the PWRI keyEncryptionAlgorithm field of the message. The vulnerability is triggered when the application attempts to read check-bytes specified in RFC 3211 from a heap allocation that is too small due to the chosen stream cipher [1].

Impact

A successful exploitation of this vulnerability can lead to a denial of service (DoS) if the heap allocation borders unmapped memory and the over-read bytes cross this boundary, causing a crash. The over-read is limited to a few bytes and these bytes are not revealed to the attacker, so there is no information disclosure. The likelihood of a crash is considered unlikely with the normal allocator as it requires the allocation to border unmapped memory [1].

Mitigation

OpenSSL versions 4.0.1, 3.6.3, 3.5.7, 3.4.6, 3.0.21, 1.1.1zh (premium support), and 1.0.2zq (premium support) contain fixes for this issue [1]. Users should upgrade to the patched versions. No workarounds are specified in the available references. The affected versions are not End-of-Life [1].