Cyber Resilience

CVE-2026-42771

MediumUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0019 8.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-42771 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Openssl Openssl. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2026-42771 is an out-of-bounds read in OpenSSL triggered when an application calls X509_VERIFY_PARAM_set1_email (or the related add variant) to validate a crafted email address, such as during S/MIME message processing. An internal helper function used an incorrect length when checking the local part of the address, allowing the documented 64-octet limit to be bypassed and producing a read past the end of the supplied buffer. The affected code lies outside the FIPS module boundary, so no FIPS-validated configurations are impacted.

An attacker who can supply a malicious From: header in an S/MIME-signed message can cause the validating application to crash, resulting in a denial of service. The CVSS vector (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates the issue is locally reachable without authentication and produces a high availability impact while disclosing no data.

The OpenSSL project published advisory 20260609 and a corresponding fix in commit 6cd187689f8180c1f8a3acde21f88190c4a20de7 that corrects the length calculation used for local-part validation. Applications should update to a patched OpenSSL release and rebuild any components that perform S/MIME or X.509 email-address checks.

The current EPSS score remains at 0.0001 with no reported rise, and no in-the-wild exploitation has been observed.

EU & UK References

Vulnerability details

Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate…

more

the data read to the attacker so the most likely result is a crash and a Denial of Service. An internal helper function called from X509_VERIFY_PARAM_[set|add]_email() used a wrong length when validating the local part of an email address. This could cause the 64 octet limit on the local part of an email address to be not enforced, or cause an out of bound read and potentially a crash. The bug is reachable via S-MIME validation with a crafted From: address supplied in an email message that can potentially cause a crash. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds read enables direct application crash via crafted input (S/MIME email validation), matching Application or System Exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28386Same product: Openssl Openssl
CVE-2026-9076Same product: Openssl Openssl
CVE-2026-34180Same product: Openssl Openssl
CVE-2026-42767Same product: Openssl Openssl
CVE-2025-69421Same product: Openssl Openssl
CVE-2022-4203Same product: Openssl Openssl
CVE-2026-42766Same product: Openssl Openssl
CVE-2026-42764Same product: Openssl Openssl
CVE-2026-42765Same product: Openssl Openssl
CVE-2026-22796Same product: Openssl Openssl

Affected Assets

openssl
openssl
4.0.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References