{"id":"CVE-2026-42767","summary":"NULL Pointer Dereference in CRMF EncryptedValue Decryption","details":"Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\nserver could trigger a NULL pointer dereference in a CMP client application.\n\nImpact summary: A NULL pointer dereference causes a crash of the\napplication and a Denial of Service.\n\nAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\ncraft a CMP response containing a CRMF (Certificate Request Message Format)\nCertRepMessage with an EncryptedValue structure where the symmAlg field\nhas an algorithm OID but no parameters field. When the OpenSSL CMP client\nprocesses this response, the NULL dereference occurs, causing a crash of\nthe CMP client.\n\nApplications that process untrusted CMP/CRMF messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","modified":"2026-06-12T12:29:11.255066821Z","published":"2026-06-09T16:03:27.435Z","related":["ALSA-2026:25237","ALSA-2026:25239","CGA-39mr-jp3c-8ccj"],"database_specific":{"cna_assigner":"openssl","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42767.json","cwe_ids":["CWE-476"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42767.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42767"},{"type":"ADVISORY","url":"https://openssl-library.org/news/secadv/20260609.txt"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/61a86a8cd73546c9fea916f3d304c1293e05c046"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/665d5254083affde9982efca7c41dd01cacc8774"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/810b722f772652ad48042bcc7ab07e3414b11d0f"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d"},{"type":"FIX","url":"https://github.com/openssl/security/commit/61a86a8cd73546c9fea916f3d304c1293e05c046"},{"type":"FIX","url":"https://github.com/openssl/security/commit/665d5254083affde9982efca7c41dd01cacc8774"},{"type":"FIX","url":"https://github.com/openssl/security/commit/810b722f772652ad48042bcc7ab07e3414b11d0f"},{"type":"FIX","url":"https://github.com/openssl/security/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873"},{"type":"FIX","url":"https://github.com/openssl/security/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"11b7b6ea3b65a584e1d31408ed1bdb139465cffd"},{"fixed":"1e963a8680ec78ad2072792c7a1a71f3c530bd2e"},{"introduced":"7b371d80d959ec9ab4139d09d78e83c090de9779"},{"fixed":"aae016bfd52fcad2bc9657c2c782cfdf73b1ed5f"},{"introduced":"636dfadc70ce26f2473870570bfd9ec352806b1d"},{"fixed":"8cf17aaeb4599f8af87fefd810b5b5fee90fe69e"},{"introduced":"98acb6b02839c609ef5b837794e08d906d965335"},{"fixed":"c5ea1cc227fd60afae8ac4b9438690bbe4888f79"},{"introduced":"89cd17a031e022211684eb7eb41190cf1910f9fa"},{"fixed":"51ea949dc1436e865935b47874b21a3bb31a102e"}],"database_specific":{"extracted_events":[{"introduced":"4.0.0"},{"fixed":"4.0.1"},{"introduced":"3.6.0"},{"fixed":"3.6.3"},{"introduced":"3.5.0"},{"fixed":"3.5.7"},{"introduced":"3.4.0"},{"fixed":"3.4.6"},{"introduced":"3.0.0"},{"fixed":"3.0.21"}],"source":"AFFECTED_FIELD"}}],"versions":["openssl-4.0.0","openssl-3.0.20","openssl-3.4.5","openssl-3.5.6","openssl-3.6.2","openssl-3.0.19","openssl-3.4.4","openssl-3.5.5","openssl-3.6.1","3.4-POST-CLANG-FORMAT-WEBKIT","3.0-POST-CLANG-FORMAT-WEBKIT","3.4-PRE-CLANG-FORMAT-WEBKIT","3.5-POST-CLANG-FORMAT-WEBKIT","3.0-PRE-CLANG-FORMAT-WEBKIT","3.5-PRE-CLANG-FORMAT-WEBKIT","3.6-POST-CLANG-FORMAT-WEBKIT","3.6-PRE-CLANG-FORMAT-WEBKIT","openssl-3.6.0","openssl-3.0.18","openssl-3.4.3","openssl-3.5.4","openssl-3.5.3","openssl-3.5.2","openssl-3.0.17","openssl-3.4.2","openssl-3.5.1","openssl-3.5.0","openssl-3.0.16","openssl-3.4.1","openssl-3.4.0","openssl-3.0.15","openssl-3.0.14","openssl-3.0.13","openssl-3.0.12","openssl-3.0.11","openssl-3.0.10","openssl-3.0.9","openssl-3.0.8","openssl-3.0.7","openssl-3.0.6","openssl-3.0.5","openssl-3.0.4","openssl-3.0.3","openssl-3.0.2","openssl-3.0.1","openssl-3.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42767.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}