{"api_version":"1","generated_at":"2026-06-10T08:10:21+00:00","cve":"CVE-2026-42766","urls":{"html":"https://cve.report/CVE-2026-42766","api":"https://cve.report/api/cve/CVE-2026-42766.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-42766","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-42766"},"summary":{"title":"Possible NULL Dereference in Password-Based CMS Decryption","description":"Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","state":"PUBLISHED","assigner":"openssl","published_at":"2026-06-09 17:17:07","updated_at":"2026-06-09 21:17:17"},"problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7","name":"https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8","name":"https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4","name":"https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce","name":"https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://openssl-library.org/news/secadv/20260609.txt","name":"https://openssl-library.org/news/secadv/20260609.txt","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4","name":"https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-42766","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42766","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 4.0.0 4.0.1 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.6.0 3.6.3 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.5.0 3.5.7 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.4.0 3.4.6 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.0.0 3.0.21 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 1.1.1 1.1.1zh custom","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 1.0.2 1.0.2zq custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Mayank Jangid","lang":"en"},{"source":"CNA","value":"Kushal Khemka","lang":"en"},{"source":"CNA","value":"Hari Priandana","lang":"en"},{"source":"CNA","value":"Bhabani Sankar Das","lang":"en"},{"source":"CNA","value":"Qifan Zhang (Palo Alto Networks)","lang":"en"},{"source":"CNA","value":"Igor Ustinov","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-42766","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-09T19:46:24.673332Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-09T19:46:27.585Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"OpenSSL","vendor":"OpenSSL","versions":[{"lessThan":"4.0.1","status":"affected","version":"4.0.0","versionType":"semver"},{"lessThan":"3.6.3","status":"affected","version":"3.6.0","versionType":"semver"},{"lessThan":"3.5.7","status":"affected","version":"3.5.0","versionType":"semver"},{"lessThan":"3.4.6","status":"affected","version":"3.4.0","versionType":"semver"},{"lessThan":"3.0.21","status":"affected","version":"3.0.0","versionType":"semver"},{"lessThan":"1.1.1zh","status":"affected","version":"1.1.1","versionType":"custom"},{"lessThan":"1.0.2zq","status":"affected","version":"1.0.2","versionType":"custom"}]}],"credits":[{"lang":"en","type":"reporter","value":"Mayank Jangid"},{"lang":"en","type":"reporter","value":"Kushal Khemka"},{"lang":"en","type":"reporter","value":"Hari Priandana"},{"lang":"en","type":"reporter","value":"Bhabani Sankar Das"},{"lang":"en","type":"reporter","value":"Qifan Zhang (Palo Alto Networks)"},{"lang":"en","type":"remediation developer","value":"Igor Ustinov"}],"datePublic":"2026-06-09T14:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Issue summary: A specially crafted password-encrypted CMS message<br>can trigger a NULL pointer dereference during CMS decryption.<br><br>Impact summary: This NULL pointer dereference leads to an application crash<br>and a Denial of Service.<br><br>The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as<br>OPTIONAL in the ASN.1 specification and may therefore be absent in specially<br>crafted inputs. During the password-based CMS decryption the OpenSSL<br>CMS implementation dereferences this field without first checking whether it<br>was present.<br><br>An attacker who supplies such a CMS message to an application performing<br>password-based CMS decryption can trigger an application crash, leading to<br>a Denial of Service.<br><br>Applications that process password-encrypted CMS messages may be affected.<br><br>The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this<br>issue, as the affected code is outside the OpenSSL FIPS module boundary."}],"value":"Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}],"metrics":[{"format":"other","other":{"content":{"text":"Low"},"type":"https://openssl-library.org/policies/general/security-policy/"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-09T16:03:26.679Z","orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl"},"references":[{"name":"OpenSSL Advisory","tags":["vendor-advisory"],"url":"https://openssl-library.org/news/secadv/20260609.txt"},{"name":"4.0.1 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4"},{"name":"3.6.3 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8"},{"name":"3.5.7 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce"},{"name":"3.4.6 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4"},{"name":"3.0.21 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7"}],"source":{"discovery":"UNKNOWN"},"title":"Possible NULL Dereference in Password-Based CMS Decryption","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","assignerShortName":"openssl","cveId":"CVE-2026-42766","datePublished":"2026-06-09T16:03:26.679Z","dateReserved":"2026-04-29T09:22:27.968Z","dateUpdated":"2026-06-09T19:46:27.585Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-09 17:17:07","lastModifiedDate":"2026-06-09 21:17:17","problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"42766","Ordinal":"1","Title":"Possible NULL Dereference in Password-Based CMS Decryption","CVE":"CVE-2026-42766","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"42766","Ordinal":"1","NoteData":"Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","Type":"Description","Title":"Possible NULL Dereference in Password-Based CMS Decryption"}]}}}