CVE-2026-45447
Heap Use-After-Free in the PKCS7_verify() Function
Description
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
INFO
Published Date :
June 9, 2026, 5:17 p.m.
Last Modified :
June 16, 2026, 2:56 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | ||||
| CVSS 3.1 | HIGH | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | ||||
| CVSS 3.1 | HIGH | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c |
Solution
- Update OpenSSL library to a patched version.
- Verify affected applications use patched OpenSSL.
- Avoid processing untrusted PKCS#7 or S/MIME messages.
- Use CMS APIs for message processing if possible.
Public PoC/Exploit Available at Github
CVE-2026-45447 has a 9 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-45447.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-45447 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-45447
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Hands-on DevSecOps demo: a hardened, multi-stage Docker build for a Flask app with a Trivy CI security gate, SBOM generation (Syft), Docker Scout scanning, digest-pinned base images, and documented CVE exceptions. Build fails on HIGH/CRITICAL vulns.
ci-cd container-security devops devsecops docker-scout flask github-actions image-hardening python sbom security-gate shift-left supply-chain-security syft trivy vulnerability-scanning
Python
Tooling for generating and manipulating Software Bill of Materials (SBOMs) for OpenVox projects.
Ruby
None
Dockerfile HCL JavaScript HTML Python Shell
CVE-2026-45447
Shell
Demo app for DevSecOps pipeline
Java Dockerfile
Dockerized Python automation tool that converts Grype vulnerability scan results into Excel reports.
Dockerfile Python
RetailStore es una plataforma de e-commerce
Dockerfile HTML TypeScript Python Go HCL Shell
A variety of tech related news summarized regularly.
custom-elements gpt-4o html machine-learning progressive-web-app pwa web-components news-summarization
HTML Shell JavaScript
All Public RunWhen Helm Charts - Managed by terraform
Shell Dockerfile Go Template
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-45447 vulnerability anywhere in the article.
-
security.nl
OpenSSL-lek gevonden met AI kan mogelijk tot remote code execution leiden
Een beveiligingsonderzoeker heeft met behulp van AI een kwetsbaarheid in OpenSSL gevonden die in bepaalde gevallen mogelijk tot remote code execution kan leiden, zo laat het ontwikkelteam weten. Er zi ... Read more
The following table lists the changes that have been made to the
CVE-2026-45447 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 16, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.0.2 up to (excluding) 1.0.2zq *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.1.1 up to (excluding) 1.1.1zh *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (excluding) 3.0.21 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.4.0 up to (excluding) 3.4.6 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.5.0 up to (excluding) 3.5.7 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.6.0 up to (excluding) 3.6.3 *cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:* Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e Types: Patch Added Reference Type OpenSSL Software Foundation: https://openssl-library.org/news/secadv/20260609.txt Types: Vendor Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 10, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Removed CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -
CVE Modified by [email protected]
Jun. 10, 2026
Action Type Old Value New Value Added Reference https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c Added Reference https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8 Added Reference https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54 Added Reference https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c Added Reference https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e Removed Reference https://github.com/openssl/security/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c Removed Reference https://github.com/openssl/security/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8 Removed Reference https://github.com/openssl/security/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54 Removed Reference https://github.com/openssl/security/commit/a541ae8bfe849a30cc885e8780715c0f488e496c Removed Reference https://github.com/openssl/security/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 09, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -
New CVE Received by [email protected]
Jun. 09, 2026
Action Type Old Value New Value Added Description Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. Added CWE CWE-416 Added Reference https://github.com/openssl/security/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c Added Reference https://github.com/openssl/security/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8 Added Reference https://github.com/openssl/security/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54 Added Reference https://github.com/openssl/security/commit/a541ae8bfe849a30cc885e8780715c0f488e496c Added Reference https://github.com/openssl/security/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e Added Reference https://openssl-library.org/news/secadv/20260609.txt