Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks
OpenSSL has released patches for critical vulnerabilities, including CVE-2026-45447, a heap use-after-free bug in PKCS7_verify that can lead to remote code execution.
OpenSSL has issued a critical security advisory detailing a vulnerability, CVE-2026-45447, that could permit remote code execution when applications process specially crafted PKCS7 or S/MIME signed messages. This heap use-after-free bug resides within the PKCS7_verify function and can lead to memory corruption. In certain deployment scenarios, this corruption can be exploited by attackers to execute arbitrary code on vulnerable systems. The vulnerability is triggered when a signed message contains an empty SignedData.digestAlgorithms ASN.1 SET. This condition causes OpenSSL to free a BIO object that is still in use by the calling application, without the application being aware of the change. If the application subsequently reuses or attempts to free this same BIO object, it can result in a use-after-free condition, potentially leading to crashes, heap corruption, or even controlled exploitation depending on the memory allocator's behavior and how the BIO is managed.
The advisory clarifies that this vulnerability specifically affects applications utilizing OpenSSL's PKCS7 APIs for verifying PKCS7 or S/MIME signatures. Applications that rely on the CMS APIs for the same verification tasks are not impacted by this particular flaw. The vulnerability affects a wide range of OpenSSL versions, including 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2. OpenSSL has provided patched releases for each of these affected branches, urging administrators to upgrade to OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, or 3.0.21. For users requiring support for legacy versions, upgrades to 1.1.1zh or 1.0.2zq are recommended. Notably, the FIPS modules for versions 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected, as the vulnerable code resides outside the FIPS boundary.
In addition to the critical CVE-2026-45447, the advisory enumerates several other vulnerabilities of varying severity, ranging from high to moderate, across different components of the OpenSSL library. These include weaknesses in CMS AuthEnvelopedData processing that could allow for key-equivalent capabilities or bypass integrity checks. Flaws in QUIC logic have been identified, which could be exploited for denial-of-service attacks through memory exhaustion or NULL pointer dereferences. An issue with AES-OCB misuse was also detailed, where Initialization Vectors (IVs) are silently ignored when using the low-level EVP_Cipher interface, compromising nonce uniqueness and tag authenticity.
Further vulnerabilities span several ASN.1 parsing bugs, issues in PKCS12 PBMAC1 validation, and problems with CMS password-based decryption. Several flaws in CMP handling were also disclosed, many of which primarily lead to denial-of-service conditions, though some may enable more advanced cryptographic attacks. The impact varies depending on the specific vulnerability, the configuration of OpenSSL, and the features being used. OpenSSL's own protocols such as TLS, QUIC, CMS, PKCS7, HPKE, and S/MIME are affected in different combinations. However, some of the most severe cryptographic weaknesses are confined to custom applications that employ low-level EVP primitives or implement bespoke messaging protocols on top of OpenSSL, particularly those that fail to enforce strict input validation or rely on error codes as security indicators.
The OpenSSL team strongly advises organizations to not only apply the latest patches but also to conduct thorough audits of their usage of PKCS7, CMS, QUIC, AES-OCB, AES-SIV, and PKCS12 workflows. This auditing process is crucial for identifying any high-risk exposure points. As an interim measure for organizations facing delays in upgrading, disabling nonessential features such as OCSP stapling and vulnerable PKCS7-based communication paths can serve as a hardening step.