CVE-2026-42771
Published: 09 June 2026
Summary
CVE-2026-42771 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Openssl Openssl. Its CVSS base score is 6.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2026-42771 is an out-of-bounds read in OpenSSL triggered when an application calls X509_VERIFY_PARAM_set1_email (or the related add variant) to validate a crafted email address, such as during S/MIME message processing. An internal helper function used an incorrect length when checking the local part of the address, allowing the documented 64-octet limit to be bypassed and producing a read past the end of the supplied buffer. The affected code lies outside the FIPS module boundary, so no FIPS-validated configurations are impacted.
An attacker who can supply a malicious From: header in an S/MIME-signed message can cause the validating application to crash, resulting in a denial of service. The CVSS vector (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates the issue is locally reachable without authentication and produces a high availability impact while disclosing no data.
The OpenSSL project published advisory 20260609 and a corresponding fix in commit 6cd187689f8180c1f8a3acde21f88190c4a20de7 that corrects the length calculation used for local-part validation. Applications should update to a patched OpenSSL release and rebuild any components that perform S/MIME or X.509 email-address checks.
The current EPSS score remains at 0.0001 with no reported rise, and no in-the-wild exploitation has been observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35488
Vulnerability details
Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate…
more
the data read to the attacker so the most likely result is a crash and a Denial of Service. An internal helper function called from X509_VERIFY_PARAM_[set|add]_email() used a wrong length when validating the local part of an email address. This could cause the 64 octet limit on the local part of an email address to be not enforced, or cause an out of bound read and potentially a crash. The bug is reachable via S-MIME validation with a crafted From: address supplied in an email message that can potentially cause a crash. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read enables direct application crash via crafted input (S/MIME email validation), matching Application or System Exploitation for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.