1. Home
  2. Vulnerabilities
  3. CVE-2026-42766
0.0
NA
CVE-2026-42766
Possible NULL Dereference in Password-Based CMS Decryption
Overview
Description

Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Details
INFO

Published Date :

June 9, 2026, 5:17 p.m.

Last Modified :

June 9, 2026, 7:38 p.m.

Remotely Exploit :

No

Source :

[email protected]
Impact
Affected Products

The following products are affected by CVE-2026-42766 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Update OpenSSL to a version that addresses the NULL pointer dereference vulnerability.
  • Update OpenSSL to a patched version.
  • Ensure CMS messages are validated before processing.
  • Avoid processing untrusted CMS messages.
References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-42766.

URL Resource
https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce
https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4
https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7
https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4
https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8
https://openssl-library.org/news/secadv/20260609.txt
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-42766 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-42766 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-42766 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-42766 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by [email protected]

    Jun. 09, 2026

    Action Type Old Value New Value
    Added Description Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
    Added CWE CWE-476
    Added Reference https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce
    Added Reference https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4
    Added Reference https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7
    Added Reference https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4
    Added Reference https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8
    Added Reference https://openssl-library.org/news/secadv/20260609.txt
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.