CVE-2026-42766
Possible NULL Dereference in Password-Based CMS Decryption
Description
Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
INFO
Published Date :
June 9, 2026, 5:17 p.m.
Last Modified :
June 15, 2026, 6:25 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update OpenSSL to a patched version.
- Ensure CMS messages are validated before processing.
- Avoid processing untrusted CMS messages.
Public PoC/Exploit Available at Github
CVE-2026-42766 has a 2 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-42766.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-42766 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-42766
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Tooling for generating and manipulating Software Bill of Materials (SBOMs) for OpenVox projects.
Ruby
None
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-42766 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-42766 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 15, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.0.2 up to (excluding) 1.0.2zq *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.1.1 up to (excluding) 1.1.1zh *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (excluding) 3.0.21 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.4.0 up to (excluding) 3.4.6 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.5.0 up to (excluding) 3.5.7 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.6.0 up to (excluding) 3.6.3 *cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:* Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8 Types: Patch Added Reference Type OpenSSL Software Foundation: https://openssl-library.org/news/secadv/20260609.txt Types: Vendor Advisory -
CVE Modified by [email protected]
Jun. 10, 2026
Action Type Old Value New Value Added Reference https://github.com/openssl/openssl/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce Added Reference https://github.com/openssl/openssl/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4 Added Reference https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7 Added Reference https://github.com/openssl/openssl/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4 Added Reference https://github.com/openssl/openssl/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8 Removed Reference https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce Removed Reference https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4 Removed Reference https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7 Removed Reference https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4 Removed Reference https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 09, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H -
New CVE Received by [email protected]
Jun. 09, 2026
Action Type Old Value New Value Added Description Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. Added CWE CWE-476 Added Reference https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce Added Reference https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4 Added Reference https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7 Added Reference https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4 Added Reference https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8 Added Reference https://openssl-library.org/news/secadv/20260609.txt