VYPR

apk package

chainguard/openssl-provider-fips-3.6.0-dbg

pkg:apk/chainguard/openssl-provider-fips-3.6.0-dbg

Vulnerabilities (9)

  • CVE-2026-9076HigJun 9, 2026
    affected < 0fixed 0

    Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash w

  • CVE-2026-45445HigJun 9, 2026
    affected < 0fixed 0

    Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce re

  • CVE-2026-42770LowJun 9, 2026
    affected < 3.4.0-r4fixed 3.4.0-r4

    Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small

  • CVE-2026-42769MedJun 9, 2026
    affected < 0fixed 0

    Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Auth

  • CVE-2026-42765HigJun 9, 2026
    affected < 0fixed 0

    Issue summary: When a partial-chain certificate verification is enabled together with OCSP response checking for the whole chain, a NULL dereference will happen if the verified chain does not have a self-signed trusted anchor, crashing the process. Impact summary: A NULL pointer

  • CVE-2026-42764HigJun 9, 2026
    affected < 0fixed 0

    Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server pro

  • CVE-2026-35188MedJun 9, 2026
    affected < 0fixed 0

    Issue summary: A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, triggering a double-free in the client's certificate verification path. Impact summary: Successful exploitation allows an attacker to corrupt he

  • CVE-2026-28387HigApr 7, 2026
    affected < 0fixed 0

    Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of po

  • CVE-2026-2673MedMar 13, 2026
    affected < 0fixed 0

    Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more pref