CVE-2026-42765
Published: 09 June 2026
Summary
CVE-2026-42765 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Openssl Openssl. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2026-42765 is a NULL pointer dereference vulnerability in OpenSSL's certificate chain verification code. It occurs when an application enables both partial-chain verification (X509_V_FLAG_PARTIAL_CHAIN) and OCSP response checking for the entire chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL). In this configuration, the verification logic attempts to access the issuer of the final certificate in the chain without a self-signed trusted anchor, resulting in a crash. The issue is present in the core OpenSSL library outside the FIPS module boundary and carries a CVSS score of 7.5.
An unauthenticated remote attacker can trigger the flaw by supplying a certificate chain that lacks a self-signed root during TLS or other certificate-validation operations. Successful exploitation produces a denial of service through process termination; no confidentiality or integrity impact is possible. Both affected verification flags are disabled by default, limiting exposure to applications that have explicitly enabled the combination.
The official OpenSSL advisory and the referenced commits (14340b7 and eb345da) describe the root cause and provide patches that correct the missing NULL check for the issuer pointer when partial-chain mode is active. No other mitigations are specified beyond applying the updates or ensuring the two flags remain disabled.
The current EPSS score of 0.0003 indicates negligible observed exploitation interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35482
Vulnerability details
Issue summary: When a partial-chain certificate verification is enabled together with OCSP response checking for the whole chain, a NULL dereference will happen if the verified chain does not have a self-signed trusted anchor, crashing the process. Impact summary: A…
more
NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When performing OCSP response checking for certificates in the verification chain, the code always tries to access the next certificate as the issuer. There is a check for a self-signed certificate. However with the partial chain verification enabled when the chain does not have a self-signed trusted anchor, the issuer will be NULL for the last certificate in the chain. A NULL pointer dereference then happens. This issue affects only applications which enable both OCSP verification of the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial chain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate verification. Both flags are disabled by default. For that reason, we have assigned Low severity to the issue. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL dereference enables remote unauthenticated DoS via crafted certificate chain during TLS/validation (application exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.