CVE-2026-42767
Published: 09 June 2026
Summary
CVE-2026-42767 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Openssl Openssl. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2026-42767 is a NULL pointer dereference vulnerability in OpenSSL's Certificate Management Protocol (CMP) client implementation. When a CMP client processes a Certificate Request Message Format (CRMF) CertRepMessage containing an EncryptedValue structure whose symmAlg field supplies an algorithm OID without a parameters field, the client dereferences a NULL pointer and crashes. The flaw affects any application that processes untrusted CMP or CRMF messages; the FIPS modules in OpenSSL 4.0, 3.6, 3.5, 3.4, and 3.0 are explicitly outside the affected code path.
An attacker who controls a CMP server or who can perform a man-in-the-middle attack can send a crafted CMP response that triggers the crash, resulting in a denial-of-service condition for the client. The vulnerability carries a CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-476.
The referenced OpenSSL commits (61a86a8, 665d525, 810b722, b90ff3b, and e6f9129) contain the corrective changes that prevent the NULL dereference when handling the malformed EncryptedValue structure. No other mitigation guidance is supplied in the available references. The current EPSS score of 0.0006 indicates low exploitation probability with no material upward trajectory reported.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35484
Vulnerability details
Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling…
more
a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL dereference in CMP client enables remote DoS via crafted server response (T1499.004 Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.