CVE-2026-42766
Published: 09 June 2026
Summary
CVE-2026-42766 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Openssl Openssl. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
A NULL pointer dereference vulnerability exists in OpenSSL's CMS implementation during decryption of password-encrypted messages. The issue occurs because the PasswordRecipientInfo.keyDerivationAlgorithm field, defined as OPTIONAL in the ASN.1 specification, may be absent in crafted inputs; the code dereferences this field without checking for its presence. Applications that process password-encrypted CMS messages are affected, while the FIPS modules in OpenSSL 4.0, 3.6, 3.5, 3.4, and 3.0 are not impacted as the affected code lies outside the module boundary. The vulnerability carries a CVSS score of 5.9 and is classified under CWE-476.
An attacker can supply a specially crafted password-encrypted CMS message over the network to any application performing password-based CMS decryption. Successful exploitation triggers the NULL dereference, resulting in an application crash and denial of service. The attack requires no privileges or user interaction but has high complexity due to the need for a valid password-encrypted CMS context.
The referenced OpenSSL commits provide the patches that address the missing validation of the keyDerivationAlgorithm field during CMS decryption. Security practitioners should apply the updates from these commits to remediate the issue. The current EPSS score remains low at 0.0007 with no indicated rise.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35483
Vulnerability details
Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as…
more
OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL dereference in network-facing CMS decryption directly enables application crash via crafted input (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.