Cyber Resilience

CVE-2026-42767

MediumUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0035 26.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-42767 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Openssl Openssl. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2026-42767 is a NULL pointer dereference vulnerability in OpenSSL's Certificate Management Protocol (CMP) client implementation. When a CMP client processes a Certificate Request Message Format (CRMF) CertRepMessage containing an EncryptedValue structure whose symmAlg field supplies an algorithm OID without a parameters field, the client dereferences a NULL pointer and crashes. The flaw affects any application that processes untrusted CMP or CRMF messages; the FIPS modules in OpenSSL 4.0, 3.6, 3.5, 3.4, and 3.0 are explicitly outside the affected code path.

An attacker who controls a CMP server or who can perform a man-in-the-middle attack can send a crafted CMP response that triggers the crash, resulting in a denial-of-service condition for the client. The vulnerability carries a CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-476.

The referenced OpenSSL commits (61a86a8, 665d525, 810b722, b90ff3b, and e6f9129) contain the corrective changes that prevent the NULL dereference when handling the malformed EncryptedValue structure. No other mitigation guidance is supplied in the available references. The current EPSS score of 0.0006 indicates low exploitation probability with no material upward trajectory reported.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling…

more

a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL dereference in CMP client enables remote DoS via crafted server response (T1499.004 Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69421Same product: Openssl Openssl
CVE-2026-42766Same product: Openssl Openssl
CVE-2026-42764Same product: Openssl Openssl
CVE-2026-42765Same product: Openssl Openssl
CVE-2026-28389Same product: Openssl Openssl
CVE-2026-28390Same product: Openssl Openssl
CVE-2026-28388Same product: Openssl Openssl
CVE-2026-28386Same product: Openssl Openssl
CVE-2026-42771Same product: Openssl Openssl
CVE-2023-0217Same product: Openssl Openssl

Affected Assets

openssl
openssl
4.0.0 · 3.0.0 — 3.0.21 · 3.4.0 — 3.4.6 · 3.5.0 — 3.5.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References