NULL Pointer Dereference in CRMF EncryptedValue Decryption
Summary
| CVE | CVE-2026-42767 |
|---|---|
| State | PUBLISHED |
| Assigner | openssl |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-09 17:17:08 UTC |
| Updated | 2026-06-09 21:17:17 UTC |
| Description | Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. |
Risk And Classification
Primary CVSS: v3.1 5.9 MEDIUM from ADP
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-476 | CWE-476 CWE-476 NULL Pointer Dereference
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | OpenSSL | OpenSSL | affected 4.0.0 4.0.1 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.6.0 3.6.3 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.5.0 3.5.7 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.4.0 3.4.6 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.0.0 3.0.21 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/openssl/security/commit/665d5254083affde9982efca7c41dd01cacc8774 | [email protected] | github.com | |
| github.com/openssl/security/commit/810b722f772652ad48042bcc7ab07e3414b11d0f | [email protected] | github.com | |
| github.com/openssl/security/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d | [email protected] | github.com | |
| github.com/openssl/security/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873 | [email protected] | github.com | |
| github.com/openssl/security/commit/61a86a8cd73546c9fea916f3d304c1293e05c046 | [email protected] | github.com | |
| openssl-library.org/news/secadv/20260609.txt | [email protected] | openssl-library.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Zhanpeng Liu (Tencent Xuanwu Lab) (en)
CNA: Guannan Wang (Tencent Xuanwu Lab) (en)
CNA: Guancheng Li (Tencent Xuanwu Lab) (en)
CNA: Bhabani Sankar Das (en)
CNA: Igor Ustinov (en)
CNA: Tomáš Mráz (en)
There are currently no legacy QID mappings associated with this CVE.