{"id":"CVE-2026-42766","summary":"Possible NULL Dereference in Password-Based CMS Decryption","details":"Issue summary: A specially crafted password-encrypted CMS message\ncan trigger a NULL pointer dereference during CMS decryption.\n\nImpact summary: This NULL pointer dereference leads to an application crash\nand a Denial of Service.\n\nThe CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as\nOPTIONAL in the ASN.1 specification and may therefore be absent in specially\ncrafted inputs. During the password-based CMS decryption the OpenSSL\nCMS implementation dereferences this field without first checking whether it\nwas present.\n\nAn attacker who supplies such a CMS message to an application performing\npassword-based CMS decryption can trigger an application crash, leading to\na Denial of Service.\n\nApplications that process password-encrypted CMS messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","modified":"2026-06-12T12:29:09.669279307Z","published":"2026-06-09T16:03:26.679Z","related":["ALSA-2026:25237","ALSA-2026:25239","CGA-4pf8-cgch-9rvx"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42766.json","cwe_ids":["CWE-476"],"cna_assigner":"openssl"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42766.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42766"},{"type":"ADVISORY","url":"https://openssl-library.org/news/secadv/20260609.txt"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8"},{"type":"FIX","url":"https://github.com/openssl/security/commit/056d06c1918fafbb98c1c85a02e4c47cc4e199ce"},{"type":"FIX","url":"https://github.com/openssl/security/commit/12bc26ffb3a2be728c9b86e1cae277de5b33dfa4"},{"type":"FIX","url":"https://github.com/openssl/security/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7"},{"type":"FIX","url":"https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4"},{"type":"FIX","url":"https://github.com/openssl/security/commit/da26f368732b83e40e9d356fe61c3d3aaab6d2e8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"11b7b6ea3b65a584e1d31408ed1bdb139465cffd"},{"fixed":"1e963a8680ec78ad2072792c7a1a71f3c530bd2e"},{"introduced":"7b371d80d959ec9ab4139d09d78e83c090de9779"},{"fixed":"aae016bfd52fcad2bc9657c2c782cfdf73b1ed5f"},{"introduced":"636dfadc70ce26f2473870570bfd9ec352806b1d"},{"fixed":"8cf17aaeb4599f8af87fefd810b5b5fee90fe69e"},{"introduced":"98acb6b02839c609ef5b837794e08d906d965335"},{"fixed":"c5ea1cc227fd60afae8ac4b9438690bbe4888f79"},{"introduced":"89cd17a031e022211684eb7eb41190cf1910f9fa"},{"fixed":"51ea949dc1436e865935b47874b21a3bb31a102e"},{"introduced":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"fixed":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"introduced":"e818b74be2170fbe957a07b0da4401c2b694b3b8"},{"fixed":"e818b74be2170fbe957a07b0da4401c2b694b3b8"}],"database_specific":{"extracted_events":[{"introduced":"4.0.0"},{"fixed":"4.0.1"},{"introduced":"3.6.0"},{"fixed":"3.6.3"},{"introduced":"3.5.0"},{"fixed":"3.5.7"},{"introduced":"3.4.0"},{"fixed":"3.4.6"},{"introduced":"3.0.0"},{"fixed":"3.0.21"},{"introduced":"1.1.1"},{"fixed":"1.1.1zh"},{"introduced":"1.0.2"},{"fixed":"1.0.2zq"}],"source":"AFFECTED_FIELD"}}],"versions":["openssl-4.0.0","openssl-3.0.20","openssl-3.4.5","openssl-3.5.6","openssl-3.6.2","openssl-3.0.19","openssl-3.4.4","openssl-3.5.5","openssl-3.6.1","3.4-POST-CLANG-FORMAT-WEBKIT","3.0-POST-CLANG-FORMAT-WEBKIT","3.4-PRE-CLANG-FORMAT-WEBKIT","3.5-POST-CLANG-FORMAT-WEBKIT","3.0-PRE-CLANG-FORMAT-WEBKIT","3.5-PRE-CLANG-FORMAT-WEBKIT","3.6-POST-CLANG-FORMAT-WEBKIT","3.6-PRE-CLANG-FORMAT-WEBKIT","openssl-3.6.0","openssl-3.0.18","openssl-3.4.3","openssl-3.5.4","openssl-3.5.3","openssl-3.5.2","openssl-3.0.17","openssl-3.4.2","openssl-3.5.1","openssl-3.5.0","openssl-3.0.16","openssl-3.4.1","openssl-3.4.0","openssl-3.0.15","openssl-3.0.14","openssl-3.0.13","openssl-3.0.12","openssl-3.0.11","openssl-3.0.10","openssl-3.0.9","openssl-3.0.8","openssl-3.0.7","openssl-3.0.6","openssl-3.0.5","openssl-3.0.4","openssl-3.0.3","openssl-3.0.2","openssl-3.0.1","openssl-3.0.0"],"database_specific":{"vanir_signatures":[{"digest":{"line_hashes":["28170854778703993674264004058177114599","73132526844288570625317440636111911761","177405411499435185068645597737938634778","224809958623850711330610094965797758930","295554444428855106393106961197201359586"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","deprecated":false,"target":{"file":"include/openssl/opensslv.h"},"source":"https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86","id":"CVE-2026-42766-c377fa22"},{"digest":{"line_hashes":["251633914150035957322733061977107206211","338514574181828579838011565939158652696","76638288692106140328510055542557597351","142922657400765574308962710386922248045","71649992455794854055653842592139575350","65527166711110472566013424527579064967","253196866009476977787139000804413898733","172177136897997206866313011107384691461"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","id":"CVE-2026-42766-e051451f","target":{"file":"crypto/opensslv.h"},"deprecated":false,"source":"https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8"}],"vanir_signatures_modified":"2026-06-11T08:15:12Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42766.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}