Heap Use-After-Free in the PKCS7_verify() Function
Summary
| CVE | CVE-2026-45447 |
|---|---|
| State | PUBLISHED |
| Assigner | openssl |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-09 17:17:19 UTC |
| Updated | 2026-07-08 13:16:47 UTC |
| Description | Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.013880000 probability, percentile 0.686400000 (date 2026-06-16)
Problem Types: CWE-416 | CWE-825 | CWE-416 CWE-416 Use After Free | CWE-825 Expired Pointer Dereference
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | OpenSSL | OpenSSL | affected 4.0.0 4.0.1 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.6.0 3.6.3 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.5.0 3.5.7 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.4.0 3.4.6 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.0.0 3.0.21 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 1.1.1 1.1.1zh custom | Not specified |
| CNA | OpenSSL | OpenSSL | affected 1.0.2 1.0.2zq custom | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream E4S V.8.8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream TUS V.8.8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream EUS V.9.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS V. 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS EUS EXTENSION V.8.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS E4S V.8.8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS TUS V.8.8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Discovery 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Insights Proxy 1.5 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Update Infrastructure 5 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45447.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:36217 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36215 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25239 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35869 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-45447 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34102 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:26319 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54 | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:29197 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25237 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8 | [email protected] | github.com | Patch |
| openssl-library.org/news/secadv/20260609.txt | [email protected] | openssl-library.org | Vendor Advisory |
| github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:26275 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c | [email protected] | github.com | Patch |
| github.com/openssl/security/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c | MITRE | github.com | |
| github.com/openssl/security/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8 | MITRE | github.com | |
| github.com/openssl/security/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54 | MITRE | github.com | |
| github.com/openssl/security/commit/a541ae8bfe849a30cc885e8780715c0f488e496c | MITRE | github.com | |
| github.com/openssl/security/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e | MITRE | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Thai Duong (Calif.io in collaboration with Claude and Anthropic Research) (en)
CNA: Igor Ustinov (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-27T14:17:46.000Z | Reported to Red Hat. |
| ADP | 2026-06-09T00:00:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:25237: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)
ADP: RHSA-2026:36215: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:36217: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)
ADP: RHSA-2026:35869: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:25239: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)
ADP: RHSA-2026:26275: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.8)
ADP: RHSA-2026:29197: Red Hat Discovery 2
ADP: RHSA-2026:34102: Red Hat Insights proxy 1.5
ADP: RHSA-2026:26319: Red Hat Update Infrastructure 5
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.