Out-of-Bounds Read in CMS Password-Based Decryption

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-9076
StatePUBLISHED
Assigneropenssl
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-09 17:17:50 UTC
Updated2026-06-10 08:16:26 UTC
DescriptionIssue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.

Risk And Classification

Primary CVSS: v3.1 7.5 HIGH from ADP

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-125 | CWE-125 CWE-125 Out-of-bounds Read

VersionSourceTypeScoreSeverityVector
3.1ADPDECLARED7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
3.1134c704f-9b21-4f2e-91b3-4a467353bcc0Secondary7.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA OpenSSL OpenSSL affected 4.0.0 4.0.1 semver Not specified
CNA OpenSSL OpenSSL affected 3.6.0 3.6.3 semver Not specified
CNA OpenSSL OpenSSL affected 3.5.0 3.5.7 semver Not specified
CNA OpenSSL OpenSSL affected 3.4.0 3.4.6 semver Not specified
CNA OpenSSL OpenSSL affected 3.0.0 3.0.21 semver Not specified
CNA OpenSSL OpenSSL affected 1.1.1 1.1.1zh custom Not specified
CNA OpenSSL OpenSSL affected 1.0.2 1.0.2zq custom Not specified

References

ReferenceSourceLinkTags
github.com/openssl/openssl/commit/715349a1d7c6db970e6815dafb90915f07307f98 [email protected] github.com
github.com/openssl/openssl/commit/77bf00ab13f6ff5e516535432f0328ed70ec0c26 [email protected] github.com
openssl-library.org/news/secadv/20260609.txt [email protected] openssl-library.org
github.com/openssl/openssl/commit/05b066366842f930fadd9a6e94df98030af431bb [email protected] github.com
github.com/openssl/openssl/commit/3d8d5bc1056b2f62da9fede23fedbf47e85187b0 [email protected] github.com
github.com/openssl/openssl/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6 [email protected] github.com
github.com/openssl/security/commit/05b066366842f930fadd9a6e94df98030af431bb MITRE github.com
github.com/openssl/security/commit/3d8d5bc1056b2f62da9fede23fedbf47e85187b0 MITRE github.com
github.com/openssl/security/commit/715349a1d7c6db970e6815dafb90915f07307f98 MITRE github.com
github.com/openssl/security/commit/77bf00ab13f6ff5e516535432f0328ed70ec0c26 MITRE github.com
github.com/openssl/security/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6 MITRE github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Bhabani Sankar Das (en)

CNA: Haruki Oyama (Waseda University) (en)

CNA: Nikola Pajkovsky (en)

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report