OpenSSL
Easy fix8 remedies
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*, +1 more
Easy fix8 remedies
- >= 3.6, < 3.6.2
- >= 3.5, < 3.5.6
- >= 3.4, < 3.4.5
- >= 3.3, < 3.3.7
- >= 3.0, < 3.0.20
- 1.1.1
- 1.0.2
OpenSSL NULL Pointer Dereference Vulnerability in CMS KeyTransportRecipientInfo
Vulnerability
Patched
A NULL pointer dereference vulnerability has been identified in OpenSSL's CMS (Cryptographic Message Syntax) processing, specifically within the KeyTransportRecipientInfo structure when handling RSA-OAEP encrypted messages. This issue arises because the optional parameters field of the RSA-OAEP SourceFunc algorithm identifier is accessed without proper validation, leading to a crash. Applications and services that utilize the CMS_decrypt() function on untrusted data, such as during S/MIME processing or within CMS-based protocols, are susceptible to this vulnerability.
Impact
Exploiting this vulnerability causes applications to crash, creating a denial-of-service condition. The crash occurs before any authentication or cryptographic operations can be completed.
Reproduction
To reproduce this vulnerability, send a crafted CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption. Ensure that the optional parameters field is missing, as this will trigger the NULL pointer dereference when the message is processed.
Remediation
Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.2. Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.6. Users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.5. Users of OpenSSL 3.3 should upgrade to OpenSSL 3.3.7. Users of OpenSSL 3.0 should upgrade to OpenSSL 3.0.20.
Added: Apr 7, 2026, 10:56 PM
Updated: Apr 7, 2026, 10:56 PM
Vulnerability Rating
Custom Algorithm
spread
8.6impact
2.5exploitability
8.4remediation
7.9relevance
5.4threat
4.8urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.