{"id":"CVE-2026-42768","summary":"Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()","details":"Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to\nBleichenbacher-style attack when an attacker is able to provide the CMS or\nS/MIME messages and observe the error code and/or decryption output.\n\nImpact summary: The Bleichenbacher-style attack allows an attacker to use the\nvictim's vulnerable application as a way to decrypt or sign messages with the\nvictim's private RSA key.\n\nThe attack is possible in 2 variants.\n\n1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without\nproviding the recipient certificate. In this case OpenSSL iterates over every\nKeyTransRecipientInfo (KTRI) without stopping at the first success.\n\nAn attacker who authors a message with two KTRI entries — the first one\nwrapping a real CEK under the victim's public key, the second with an\narbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to\nget a valid PKCS#1 v1.5 padding if the error code of the application is\navailable.\n\nThat is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an\nadaptive-chosen-ciphertext side channel from which the attacker decrypts any\nRSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under\nit.\n\n2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with\nthe recipient certificate, and the recipient is not found, a random\nkey is substituted.\n\nAn attacker who authors a message and is able to compare both error code and\nthe result of the decryption, can mount a Bleichenbacher oracle.\n\nWe are not aware of any applications that provide a remote attacker\nan opportunity to mount an attack described in these scenarios. We consider\nthe existence of such application very unlikely, and for this reason this\nCVE has been evaluated as Low severity.\n\nTo avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the\ninvoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described\nin draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit\nrejection was explicitly disabled.\n\nThe implicit rejection mechanism always returns a plaintext value,\nthe symmetric key. This result is deterministic for the ciphertext and the\nprivate key.  The length of the decryption result can happen to match the\nlength of the key of the symmetric cipher that was used for the content\nencryption. When a certificate is not provided, the last RecipientInfo\nproducing a key that looks valid will be used. It may cause getting garbage\ncontent on decryption. As a proper way to deal with this a recipient\ncertificate has to be provided to identify the particular RecipientInfo for\ndecryption.\n\nThe FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as\nCMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.","modified":"2026-06-12T12:29:09.306760452Z","published":"2026-06-09T16:03:28.206Z","related":["ALSA-2026:25237","ALSA-2026:25239","CGA-mhx9-cq4h-j57h"],"database_specific":{"cwe_ids":["CWE-514"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42768.json","cna_assigner":"openssl"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42768.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42768"},{"type":"ADVISORY","url":"https://openssl-library.org/news/secadv/20260609.txt"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/a2ca7b2d73e0ffc1eae183fe6e1741dac767cb4f"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/bbb151a83041705d9d001ed2f9c12f5523e1b54d"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/dd68364107a58841c0a2546812518b65d3a23abd"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/f04b377be3d821741c86d1f4bf84dee09f3d5c3e"},{"type":"FIX","url":"https://github.com/openssl/security/commit/a2ca7b2d73e0ffc1eae183fe6e1741dac767cb4f"},{"type":"FIX","url":"https://github.com/openssl/security/commit/bbb151a83041705d9d001ed2f9c12f5523e1b54d"},{"type":"FIX","url":"https://github.com/openssl/security/commit/dd68364107a58841c0a2546812518b65d3a23abd"},{"type":"FIX","url":"https://github.com/openssl/security/commit/f04b377be3d821741c86d1f4bf84dee09f3d5c3e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"11b7b6ea3b65a584e1d31408ed1bdb139465cffd"},{"fixed":"1e963a8680ec78ad2072792c7a1a71f3c530bd2e"},{"introduced":"7b371d80d959ec9ab4139d09d78e83c090de9779"},{"fixed":"aae016bfd52fcad2bc9657c2c782cfdf73b1ed5f"},{"introduced":"636dfadc70ce26f2473870570bfd9ec352806b1d"},{"fixed":"8cf17aaeb4599f8af87fefd810b5b5fee90fe69e"},{"introduced":"98acb6b02839c609ef5b837794e08d906d965335"},{"fixed":"c5ea1cc227fd60afae8ac4b9438690bbe4888f79"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"4.0.0"},{"fixed":"4.0.1"},{"introduced":"3.6.0"},{"fixed":"3.6.3"},{"introduced":"3.5.0"},{"fixed":"3.5.7"},{"introduced":"3.4.0"},{"fixed":"3.4.6"}]}}],"versions":["openssl-4.0.0","openssl-3.4.5","openssl-3.5.6","openssl-3.6.2","openssl-3.4.4","openssl-3.5.5","openssl-3.6.1","3.4-POST-CLANG-FORMAT-WEBKIT","3.4-PRE-CLANG-FORMAT-WEBKIT","3.5-POST-CLANG-FORMAT-WEBKIT","3.5-PRE-CLANG-FORMAT-WEBKIT","3.6-POST-CLANG-FORMAT-WEBKIT","3.6-PRE-CLANG-FORMAT-WEBKIT","openssl-3.6.0","openssl-3.4.3","openssl-3.5.4","openssl-3.5.3","openssl-3.5.2","openssl-3.4.2","openssl-3.5.1","openssl-3.5.0","openssl-3.4.1","openssl-3.4.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-42768.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}