OpenSSL
Moderate fix4 remedies
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*, +1 more
Moderate fix4 remedies
- >= 4.0, < 4.0.1
- >= 3.6, < 3.6.3
- >= 3.5, < 3.5.7
- >= 3.4, < 3.4.6
OpenSSL Trust-Anchor Substitution via Certificate Verification Error in CMP Root CA Key Update
Vulnerability
Patched
A vulnerability in OpenSSL's handling of Certificate Management Protocol (CMP) Root CA key update messages can lead to unauthorized escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (CA) level. This issue arises from a typo in the certificate verification process, which allows an RA to replace the root CA certificate for CMP clients with an arbitrary root CA certificate. The vulnerability is present in OpenSSL versions 4.0, 3.6, 3.5, and 3.4.
Impact
Exploitation of this vulnerability could allow an RA to replace the root CA certificate for CMP clients with a certificate of their choosing, effectively allowing them to act as a trusted root CA.
Reproduction
To reproduce this vulnerability, an attacker must have valid RA-level credentials and send a crafted self-signed certificate in a 'id-it-rootCaKeyUpdate' CMP message. The affected CMP client will accept this certificate as a new trust anchor.
Remediation
Users of OpenSSL 4.0 should upgrade to OpenSSL 4.0.1, users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.3, users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.7, and users of OpenSSL 3.4 should upgrade to OpenSSL 3.4.6.
Added: Jun 9, 2026, 8:02 PM
Updated: Jun 9, 2026, 8:02 PM
Vulnerability Rating
Custom Algorithm
spread
8.6impact
2.5exploitability
5.8remediation
7.7relevance
9.4threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.