Critical OpenSSL Vulnerability Could Enable Remote Code Execution, Affecting QUIC Services and Beyond
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Critical OpenSSL Vulnerability Could Enable Remote Code Execution, Affecting QUIC Services and Beyond
OpenSSL has patched 18 vulnerabilities — led by a high-severity heap use-after-free bug in PKCS#7 signature verification — affecting every supported branch from the cutting-edge 4.0 series to legacy 1.0.2 deployments still under extended support. Administrators should treat the new releases as an emergency maintenance window.
- CVE-2026-45447: heap use-after-free in
PKCS7_verify()— potential remote code execution (High) - 18 total CVEs patched across OpenSSL 4.0, 3.x, 1.1.1, and 1.0.2 branches
- QUIC services face two independent denial-of-service paths (CVE-2026-34183, CVE-2026-42764)
- AES-OCB, AES-SIV, and AES-GCM-SIV cryptographic integrity flaws enable ciphertext forgery
- Fix: upgrade to patched minor versions immediately — details in the version table below
The Core Flaw: Use-After-Free in PKCS7_verify()
At the heart of this advisory is CVE-2026-45447, a heap use-after-free vulnerability discovered by a California-based researcher in collaboration with Claude AI and Anthropic Research. The bug lives in OpenSSL’s PKCS7_verify() function and can be triggered by a specially crafted PKCS#7 or S/MIME signed message.
When a SignedData digestAlgorithms field is present but encoded as an empty ASN.1 SET, OpenSSL incorrectly frees a BIO object that is still owned by the caller. If the application subsequently reuses or releases the same BIO, the already-freed memory is accessed — the classic use-after-free pattern. In the mildest case this causes a process crash or heap corruption; in complex multi-library applications where heap layout can be shaped by an attacker, it may escalate to controlled remote code execution. The OpenSSL team rates it High severity, with a CVSS base score of 9.8.
Any service that calls the affected API to verify PKCS#7 or S/MIME signatures is in scope: mail gateways, content inspection systems, VPN concentrators, custom signature services, and more.
All Patched Vulnerabilities at a Glance
| CVE | Component | Impact | Severity |
|---|---|---|---|
CVE-2026-45447 |
PKCS7_verify() — heap use-after-free | Remote code execution, crash, heap corruption | High |
CVE-2026-7383 |
ASN.1 multibyte string conversion — heap buffer overflow | Possible arbitrary code execution (requires huge attacker-controlled input) | Low |
CVE-2026-35188 |
OCSP stapled response — double-free | Denial of service; code execution theoretically possible but complex | Medium |
CVE-2026-45445 |
AES-OCB via EVP_Cipher() — IV ignored | Nonce reuse; ciphertext forgery in affected applications | Medium |
CVE-2026-45446 |
AES-SIV / AES-GCM-SIV — empty ciphertext tag acceptance | Forgery of authentication-only messages | Medium |
CVE-2026-34183 |
QUIC PATH_CHALLENGE handler — unbounded memory growth | Denial of service (memory exhaustion) | Medium |
CVE-2026-42764 |
QUIC server initial packet handling — NULL dereference | Denial of service (when address verification disabled) | Medium |
CVE-2026-42765 |
Certificate / OCSP verification — NULL dereference | Client or server crash on crafted certificate chains | Medium |
CVE-2026-42769 |
CMP root CA key update — logic error | Attacker with registry credentials can substitute arbitrary root CA | Medium |
CVE-2026-42770 |
Finite-domain DH (X9.42) — weak authentication | Small subgroup attack; private key recovery after limited exchanges | Medium |
CVE-2026-34182 |
CMS AuthEnvelopedData processing — forged messages | Authentication bypass | Medium |
CVE-2026-9076 |
CMS password-based decryption — out-of-bounds read | Information disclosure or crash | Low |
CVE-2026-34180 |
ASN.1 content parsing — heap buffer over-read | Information disclosure or crash | Low |
CVE-2026-34181 |
PKCS#12 PBMAC1 — short HMAC keys accepted | Integrity bypass in PKCS#12 operations | Low |
CVE-2026-42766 |
CRMF EncryptedValue decryption — NULL dereference | Crash in CMP/CRMF workflows | Low |
QUIC Services: Two Independent Attack Paths
QUIC deployments face a pair of denial-of-service vulnerabilities that can cripple services independently of the PKCS#7 flaw. CVE-2026-34183 allows an attacker to flood a server with PATH_CHALLENGE frames, triggering unbounded memory growth until the process is killed or the host runs out of resources. Separately, CVE-2026-42764 introduces a NULL pointer dereference during initial packet processing — exploitable when server-side address verification is disabled, a configuration that is unfortunately common in performance-optimized deployments. Organizations running QUIC-based services should verify that address verification is enabled and apply the patches immediately.
Cryptographic Integrity Failures: Forgery Without Key Knowledge
Three vulnerabilities undermine the authenticity guarantees that developers rightfully expect from OpenSSL’s higher-level cipher APIs. The most subtle is CVE-2026-45445: AES-OCB contexts driven through the one-shot EVP_Cipher() interface silently ignore the caller-supplied IV, causing nonce reuse and making authentication tags depend only on the key and IV — opening the door to ciphertext forgery. CVE-2026-45446 affects AES-SIV and AES-GCM-SIV, which incorrectly accept all-zero authentication tags for messages containing only additional authenticated data, enabling forgery of such messages via the EVP interface. Applications that have adopted these modern AEAD modes specifically for their stronger authentication guarantees should audit API call sites and update immediately.
PKI and Key Exchange: Trust Anchor Subversion
Two lower-profile vulnerabilities carry outsized operational risk in PKI-heavy environments. CVE-2026-42769 exploits a logic error in the CMP root CA key update process: an attacker who has obtained registry-level credentials can trick a CMP client into accepting an arbitrary certificate as a new trusted root CA, permanently compromising that client’s trust store. CVE-2026-42770 targets finite-domain DH peer processing with X9.42 parameters, enabling a small subgroup attack that can recover the victim’s private key after only a limited number of observed key exchanges. When a narrow implementation flaw reaches the trust establishment layer, its impact far exceeds what its standalone severity rating might suggest.
Patched Versions — Upgrade Targets
The OpenSSL team has released fixes across every affected branch. Upgrade to the following versions:
Recommended Actions for Security Teams
- Patch immediately. Upgrade all OpenSSL instances to the fixed minor versions listed above — treat this as an emergency maintenance window, not routine patching.
- Audit PKCS#7 and CMS API usage. Identify every service that calls
PKCS7_verify(),CMS_decrypt(), or related APIs and confirm they are running patched libraries. - Harden QUIC servers. Ensure address verification is enabled; monitor for abnormal PATH_CHALLENGE traffic patterns or spikes in initial packet failures.
- Review AEAD call sites. Check all custom uses of AES-OCB, AES-SIV, and AES-GCM-SIV through the EVP interface for proper IV handling and re-test authentication logic after patching.
- Audit CMP and PKI pipelines. Any environment using CMP root CA key update or finite-domain DH (X9.42) should verify configuration and credential controls before re-enabling those workflows.
- Fingerprint deployed libraries. OpenSSL often ships silently inside VPN concentrators, email gateways, and embedded appliances. Use version fingerprinting tools to surface hidden instances.
- Monitor for active probing. Watch for malformed PKCS#7 or CMS objects in traffic, unusual OCSP error spikes, and abnormal QUIC session patterns — these may indicate exploitation attempts against unpatched instances.
Because OpenSSL does not publish indicators of compromise such as IP addresses or domain names in this advisory — the issues are implementation flaws, not network-specific campaigns — defenders must rely on library version auditing, protocol-aware traffic inspection, and rapid patching as their primary controls. Network and endpoint monitoring can play a supporting role, but there is no substitute for deploying the fixed releases.
