CVE-2026-45446
Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes
Description
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.
INFO
Published Date :
June 9, 2026, 5:17 p.m.
Last Modified :
June 16, 2026, 2:57 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update OpenSSL to a patched version.
- Ensure AAD is authenticated properly.
- Verify all decryption contexts are reset.
- Avoid empty ciphertext with AAD.
Public PoC/Exploit Available at Github
CVE-2026-45446 has a 1 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-45446.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-45446 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-45446
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Tooling for generating and manipulating Software Bill of Materials (SBOMs) for OpenVox projects.
Ruby
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-45446 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-45446 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 16, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (excluding) 3.0.21 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.4.0 up to (excluding) 3.4.6 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.5.0 up to (excluding) 3.5.7 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.6.0 up to (excluding) 3.6.3 *cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:* Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/daca0f48e4a69a2892a62262bad59e62a8a76598 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/eec5e9bf0d867333b8495e456f5235d225798a68 Types: Patch Added Reference Type OpenSSL Software Foundation: https://openssl-library.org/news/secadv/20260609.txt Types: Vendor Advisory -
CVE Modified by [email protected]
Jun. 10, 2026
Action Type Old Value New Value Added Reference https://github.com/openssl/openssl/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc Added Reference https://github.com/openssl/openssl/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3 Added Reference https://github.com/openssl/openssl/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85 Added Reference https://github.com/openssl/openssl/commit/daca0f48e4a69a2892a62262bad59e62a8a76598 Added Reference https://github.com/openssl/openssl/commit/eec5e9bf0d867333b8495e456f5235d225798a68 Removed Reference https://github.com/openssl/security/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc Removed Reference https://github.com/openssl/security/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3 Removed Reference https://github.com/openssl/security/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85 Removed Reference https://github.com/openssl/security/commit/daca0f48e4a69a2892a62262bad59e62a8a76598 Removed Reference https://github.com/openssl/security/commit/eec5e9bf0d867333b8495e456f5235d225798a68 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 09, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N -
New CVE Received by [email protected]
Jun. 09, 2026
Action Type Old Value New Value Added Description Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary. Added CWE CWE-325 Added Reference https://github.com/openssl/security/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc Added Reference https://github.com/openssl/security/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3 Added Reference https://github.com/openssl/security/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85 Added Reference https://github.com/openssl/security/commit/daca0f48e4a69a2892a62262bad59e62a8a76598 Added Reference https://github.com/openssl/security/commit/eec5e9bf0d867333b8495e456f5235d225798a68 Added Reference https://openssl-library.org/news/secadv/20260609.txt