{"api_version":"1","generated_at":"2026-06-10T04:16:13+00:00","cve":"CVE-2026-42767","urls":{"html":"https://cve.report/CVE-2026-42767","api":"https://cve.report/api/cve/CVE-2026-42767.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-42767","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-42767"},"summary":{"title":"NULL Pointer Dereference in CRMF EncryptedValue Decryption","description":"Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\nserver could trigger a NULL pointer dereference in a CMP client application.\n\nImpact summary: A NULL pointer dereference causes a crash of the\napplication and a Denial of Service.\n\nAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\ncraft a CMP response containing a CRMF (Certificate Request Message Format)\nCertRepMessage with an EncryptedValue structure where the symmAlg field\nhas an algorithm OID but no parameters field. When the OpenSSL CMP client\nprocesses this response, the NULL dereference occurs, causing a crash of\nthe CMP client.\n\nApplications that process untrusted CMP/CRMF messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","state":"PUBLISHED","assigner":"openssl","published_at":"2026-06-09 17:17:08","updated_at":"2026-06-09 21:17:17"},"problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://github.com/openssl/security/commit/665d5254083affde9982efca7c41dd01cacc8774","name":"https://github.com/openssl/security/commit/665d5254083affde9982efca7c41dd01cacc8774","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/810b722f772652ad48042bcc7ab07e3414b11d0f","name":"https://github.com/openssl/security/commit/810b722f772652ad48042bcc7ab07e3414b11d0f","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d","name":"https://github.com/openssl/security/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873","name":"https://github.com/openssl/security/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/61a86a8cd73546c9fea916f3d304c1293e05c046","name":"https://github.com/openssl/security/commit/61a86a8cd73546c9fea916f3d304c1293e05c046","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://openssl-library.org/news/secadv/20260609.txt","name":"https://openssl-library.org/news/secadv/20260609.txt","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-42767","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42767","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 4.0.0 4.0.1 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.6.0 3.6.3 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.5.0 3.5.7 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.4.0 3.4.6 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.0.0 3.0.21 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Zhanpeng Liu (Tencent Xuanwu Lab)","lang":"en"},{"source":"CNA","value":"Guannan Wang (Tencent Xuanwu Lab)","lang":"en"},{"source":"CNA","value":"Guancheng Li (Tencent Xuanwu Lab)","lang":"en"},{"source":"CNA","value":"Bhabani Sankar Das","lang":"en"},{"source":"CNA","value":"Igor Ustinov","lang":"en"},{"source":"CNA","value":"Tomáš Mráz","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-42767","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-09T19:44:35.594012Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-09T19:45:04.422Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"OpenSSL","vendor":"OpenSSL","versions":[{"lessThan":"4.0.1","status":"affected","version":"4.0.0","versionType":"semver"},{"lessThan":"3.6.3","status":"affected","version":"3.6.0","versionType":"semver"},{"lessThan":"3.5.7","status":"affected","version":"3.5.0","versionType":"semver"},{"lessThan":"3.4.6","status":"affected","version":"3.4.0","versionType":"semver"},{"lessThan":"3.0.21","status":"affected","version":"3.0.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"Zhanpeng Liu (Tencent Xuanwu Lab)"},{"lang":"en","type":"reporter","value":"Guannan Wang (Tencent Xuanwu Lab)"},{"lang":"en","type":"reporter","value":"Guancheng Li (Tencent Xuanwu Lab)"},{"lang":"en","type":"reporter","value":"Bhabani Sankar Das"},{"lang":"en","type":"remediation developer","value":"Igor Ustinov"},{"lang":"en","type":"remediation developer","value":"Tomáš Mráz"}],"datePublic":"2026-06-09T14:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Issue summary: An attacker-controlled CMP (Certificate Management Protocol)<br>server could trigger a NULL pointer dereference in a CMP client application.<br><br>Impact summary: A NULL pointer dereference causes a crash of the<br>application and a Denial of Service.<br><br>An attacker controlling a CMP server (or acting as a man-in-the-middle) could<br>craft a CMP response containing a CRMF (Certificate Request Message Format)<br>CertRepMessage with an EncryptedValue structure where the symmAlg field<br>has an algorithm OID but no parameters field. When the OpenSSL CMP client<br>processes this response, the NULL dereference occurs, causing a crash of<br>the CMP client.<br><br>Applications that process untrusted CMP/CRMF messages may be affected.<br><br>The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this<br>issue, as the affected code is outside the OpenSSL FIPS module boundary."}],"value":"Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\nserver could trigger a NULL pointer dereference in a CMP client application.\n\nImpact summary: A NULL pointer dereference causes a crash of the\napplication and a Denial of Service.\n\nAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\ncraft a CMP response containing a CRMF (Certificate Request Message Format)\nCertRepMessage with an EncryptedValue structure where the symmAlg field\nhas an algorithm OID but no parameters field. When the OpenSSL CMP client\nprocesses this response, the NULL dereference occurs, causing a crash of\nthe CMP client.\n\nApplications that process untrusted CMP/CRMF messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}],"metrics":[{"format":"other","other":{"content":{"text":"Low"},"type":"https://openssl-library.org/policies/general/security-policy/"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-09T20:27:09.498Z","orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl"},"references":[{"name":"OpenSSL Advisory","tags":["vendor-advisory"],"url":"https://openssl-library.org/news/secadv/20260609.txt"},{"name":"4.0.1 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873"},{"name":"3.6.3 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d"},{"name":"3.5.7 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/810b722f772652ad48042bcc7ab07e3414b11d0f"},{"name":"3.4.6 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/665d5254083affde9982efca7c41dd01cacc8774"},{"name":"3.0.21 git commit","tags":["patch"],"url":"https://github.com/openssl/security/commit/61a86a8cd73546c9fea916f3d304c1293e05c046"}],"source":{"discovery":"UNKNOWN"},"title":"NULL Pointer Dereference in CRMF EncryptedValue Decryption","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","assignerShortName":"openssl","cveId":"CVE-2026-42767","datePublished":"2026-06-09T16:03:27.435Z","dateReserved":"2026-04-29T09:22:27.968Z","dateUpdated":"2026-06-09T20:27:09.498Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-09 17:17:08","lastModifiedDate":"2026-06-09 21:17:17","problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"42767","Ordinal":"1","Title":"NULL Pointer Dereference in CRMF EncryptedValue Decryption","CVE":"CVE-2026-42767","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"42767","Ordinal":"1","NoteData":"Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\nserver could trigger a NULL pointer dereference in a CMP client application.\n\nImpact summary: A NULL pointer dereference causes a crash of the\napplication and a Denial of Service.\n\nAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\ncraft a CMP response containing a CRMF (Certificate Request Message Format)\nCertRepMessage with an EncryptedValue structure where the symmAlg field\nhas an algorithm OID but no parameters field. When the OpenSSL CMP client\nprocesses this response, the NULL dereference occurs, causing a crash of\nthe CMP client.\n\nApplications that process untrusted CMP/CRMF messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","Type":"Description","Title":"NULL Pointer Dereference in CRMF EncryptedValue Decryption"}]}}}