Cyber Resilience

CVE-2026-42766

MediumUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0060 44.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-42766 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Openssl Openssl. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

A NULL pointer dereference vulnerability exists in OpenSSL's CMS implementation during decryption of password-encrypted messages. The issue occurs because the PasswordRecipientInfo.keyDerivationAlgorithm field, defined as OPTIONAL in the ASN.1 specification, may be absent in crafted inputs; the code dereferences this field without checking for its presence. Applications that process password-encrypted CMS messages are affected, while the FIPS modules in OpenSSL 4.0, 3.6, 3.5, 3.4, and 3.0 are not impacted as the affected code lies outside the module boundary. The vulnerability carries a CVSS score of 5.9 and is classified under CWE-476.

An attacker can supply a specially crafted password-encrypted CMS message over the network to any application performing password-based CMS decryption. Successful exploitation triggers the NULL dereference, resulting in an application crash and denial of service. The attack requires no privileges or user interaction but has high complexity due to the need for a valid password-encrypted CMS context.

The referenced OpenSSL commits provide the patches that address the missing validation of the keyDerivationAlgorithm field during CMS decryption. Security practitioners should apply the updates from these commits to remediate the issue. The current EPSS score remains low at 0.0007 with no indicated rise.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as…

more

OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL dereference in network-facing CMS decryption directly enables application crash via crafted input (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42767Same product: Openssl Openssl
CVE-2025-69421Same product: Openssl Openssl
CVE-2026-42764Same product: Openssl Openssl
CVE-2026-42765Same product: Openssl Openssl
CVE-2026-28389Same product: Openssl Openssl
CVE-2026-28390Same product: Openssl Openssl
CVE-2026-28388Same product: Openssl Openssl
CVE-2026-28386Same product: Openssl Openssl
CVE-2026-42771Same product: Openssl Openssl
CVE-2023-0217Same product: Openssl Openssl

Affected Assets

openssl
openssl
4.0.0 · 1.0.2 — 1.0.2zq · 1.1.1 — 1.1.1zh · 3.0.0 — 3.0.21

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References