{"api_version":"1","generated_at":"2026-06-10T10:27:09+00:00","cve":"CVE-2026-42765","urls":{"html":"https://cve.report/CVE-2026-42765","api":"https://cve.report/api/cve/CVE-2026-42765.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-42765","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-42765"},"summary":{"title":"NULL Dereference in Certificate Verification with OCSP Checking","description":"Issue summary: When a partial-chain certificate verification is enabled\ntogether with OCSP response checking for the whole chain, a NULL dereference\nwill happen if the verified chain does not have a self-signed trusted anchor,\ncrashing the process.\n\nImpact summary: A NULL pointer dereference can trigger a crash which leads to a\nDenial of Service for an application.\n\nWhen performing OCSP response checking for certificates in the verification\nchain, the code always tries to access the next certificate as the issuer.\nThere is a check for a self-signed certificate. However with the partial\nchain verification enabled when the chain does not have a self-signed trusted\nanchor, the issuer will be NULL for the last certificate in the chain. A NULL\npointer dereference then happens.\n\nThis issue affects only applications which enable both OCSP verification\nof the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial\nchain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate\nverification. Both flags are disabled by default. For that reason, we have\nassigned Low severity to the issue.\n\nNo FIPS modules are affected by this issue as the affected code is outside\nthe OpenSSL FIPS module boundary.","state":"PUBLISHED","assigner":"openssl","published_at":"2026-06-09 17:17:07","updated_at":"2026-06-10 08:16:23"},"problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://github.com/openssl/openssl/commit/eb345da18ce2216b2f3ade9c2bc23e068487fa97","name":"https://github.com/openssl/openssl/commit/eb345da18ce2216b2f3ade9c2bc23e068487fa97","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/14340b7fa1d444615486bc137014b064e64ec334","name":"https://github.com/openssl/openssl/commit/14340b7fa1d444615486bc137014b064e64ec334","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://openssl-library.org/news/secadv/20260609.txt","name":"https://openssl-library.org/news/secadv/20260609.txt","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/14340b7fa1d444615486bc137014b064e64ec334","name":"https://github.com/openssl/security/commit/14340b7fa1d444615486bc137014b064e64ec334","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/eb345da18ce2216b2f3ade9c2bc23e068487fa97","name":"https://github.com/openssl/security/commit/eb345da18ce2216b2f3ade9c2bc23e068487fa97","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-42765","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42765","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 4.0.0 4.0.1 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.6.0 3.6.3 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Joshua Rogers (Aisle Research)","lang":"en"},{"source":"CNA","value":"Joshua Rogers (Aisle Research)","lang":"en"},{"source":"CNA","value":"Daniel Kubec","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-42765","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-09T19:35:48.849695Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-09T19:36:06.889Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"OpenSSL","vendor":"OpenSSL","versions":[{"lessThan":"4.0.1","status":"affected","version":"4.0.0","versionType":"semver"},{"lessThan":"3.6.3","status":"affected","version":"3.6.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"Joshua Rogers (Aisle Research)"},{"lang":"en","type":"remediation developer","value":"Joshua Rogers (Aisle Research)"},{"lang":"en","type":"remediation developer","value":"Daniel Kubec"}],"datePublic":"2026-06-09T14:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Issue summary: When a partial-chain certificate verification is enabled<br>together with OCSP response checking for the whole chain, a NULL dereference<br>will happen if the verified chain does not have a self-signed trusted anchor,<br>crashing the process.<br><br>Impact summary: A NULL pointer dereference can trigger a crash which leads to a<br>Denial of Service for an application.<br><br>When performing OCSP response checking for certificates in the verification<br>chain, the code always tries to access the next certificate as the issuer.<br>There is a check for a self-signed certificate. However with the partial<br>chain verification enabled when the chain does not have a self-signed trusted<br>anchor, the issuer will be NULL for the last certificate in the chain. A NULL<br>pointer dereference then happens.<br><br>This issue affects only applications which enable both OCSP verification<br>of the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial<br>chain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate<br>verification. Both flags are disabled by default. For that reason, we have<br>assigned Low severity to the issue.<br><br>No FIPS modules are affected by this issue as the affected code is outside<br>the OpenSSL FIPS module boundary."}],"value":"Issue summary: When a partial-chain certificate verification is enabled\ntogether with OCSP response checking for the whole chain, a NULL dereference\nwill happen if the verified chain does not have a self-signed trusted anchor,\ncrashing the process.\n\nImpact summary: A NULL pointer dereference can trigger a crash which leads to a\nDenial of Service for an application.\n\nWhen performing OCSP response checking for certificates in the verification\nchain, the code always tries to access the next certificate as the issuer.\nThere is a check for a self-signed certificate. However with the partial\nchain verification enabled when the chain does not have a self-signed trusted\nanchor, the issuer will be NULL for the last certificate in the chain. A NULL\npointer dereference then happens.\n\nThis issue affects only applications which enable both OCSP verification\nof the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial\nchain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate\nverification. Both flags are disabled by default. For that reason, we have\nassigned Low severity to the issue.\n\nNo FIPS modules are affected by this issue as the affected code is outside\nthe OpenSSL FIPS module boundary."}],"metrics":[{"format":"other","other":{"content":{"text":"Low"},"type":"https://openssl-library.org/policies/general/security-policy/"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-10T07:48:00.427Z","orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl"},"references":[{"name":"OpenSSL Advisory","tags":["vendor-advisory"],"url":"https://openssl-library.org/news/secadv/20260609.txt"},{"name":"4.0.1 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/14340b7fa1d444615486bc137014b064e64ec334"},{"name":"3.6.3 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/eb345da18ce2216b2f3ade9c2bc23e068487fa97"}],"source":{"discovery":"UNKNOWN"},"title":"NULL Dereference in Certificate Verification with OCSP Checking","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","assignerShortName":"openssl","cveId":"CVE-2026-42765","datePublished":"2026-06-09T16:03:25.934Z","dateReserved":"2026-04-29T09:22:27.968Z","dateUpdated":"2026-06-10T07:48:00.427Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-09 17:17:07","lastModifiedDate":"2026-06-10 08:16:23","problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"42765","Ordinal":"1","Title":"NULL Dereference in Certificate Verification with OCSP Checking","CVE":"CVE-2026-42765","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"42765","Ordinal":"1","NoteData":"Issue summary: When a partial-chain certificate verification is enabled\ntogether with OCSP response checking for the whole chain, a NULL dereference\nwill happen if the verified chain does not have a self-signed trusted anchor,\ncrashing the process.\n\nImpact summary: A NULL pointer dereference can trigger a crash which leads to a\nDenial of Service for an application.\n\nWhen performing OCSP response checking for certificates in the verification\nchain, the code always tries to access the next certificate as the issuer.\nThere is a check for a self-signed certificate. However with the partial\nchain verification enabled when the chain does not have a self-signed trusted\nanchor, the issuer will be NULL for the last certificate in the chain. A NULL\npointer dereference then happens.\n\nThis issue affects only applications which enable both OCSP verification\nof the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial\nchain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate\nverification. Both flags are disabled by default. For that reason, we have\nassigned Low severity to the issue.\n\nNo FIPS modules are affected by this issue as the affected code is outside\nthe OpenSSL FIPS module boundary.","Type":"Description","Title":"NULL Dereference in Certificate Verification with OCSP Checking"}]}}}