OpenSSL Type Confusion Vulnerability in PKCS#7 Signature Verification Allowing Denial-of-Service

Vulnerability

A type confusion vulnerability has been identified in OpenSSL versions 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, and 1.0.2. This vulnerability arises in the signature verification process of signed PKCS#7 data, where an ASN1_TYPE union member is accessed without proper type validation. This oversight can lead to an invalid or NULL pointer dereference when handling malformed PKCS#7 data, causing a crash and denial-of-service condition for applications that perform signature verification or directly call the PKCS7_digest_from_attributes() function.

Impact

Exploiting this vulnerability can cause an application to dereference an invalid or NULL pointer, leading to a crash and denial-of-service condition.

Reproduction

To reproduce this vulnerability, an attacker must provide a malformed signed PKCS#7 file to an application that verifies PKCS#7 signatures. The vulnerability can be triggered by using the OpenSSL command-line tool or through an application that processes PKCS#7 data using the OpenSSL library.

Remediation

Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.1, users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.5, and users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.4.

Added: Jan 27, 2026, 4:26 PM
Updated: Jan 27, 2026, 5:37 PM

Vulnerability Rating

Custom Algorithm
spread
8.6
impact
2.5
exploitability
9.1
remediation
7.7
relevance
1.5
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.