CVE-2026-45445
Published: 09 June 2026
Summary
CVE-2026-45445 is a high-severity Missing Cryptographic Step (CWE-325) vulnerability in Openssl Openssl. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a cryptographic flaw in OpenSSL's AES-OCB implementation when an application invokes the cipher through the public EVP_Cipher() one-shot interface. In this code path the caller-supplied initialization vector is ignored, so every encryption under the same key reuses the all-zero offset state left after cipher initialization. The resulting (key, nonce) reuse breaks confidentiality; when the same path is later used to generate an authentication tag via EVP_EncryptFinal_ex, the tag becomes a deterministic function of only the key and IV, enabling universal forgery of arbitrary ciphertexts from a single captured message. Only applications that combine AES-OCB with the one-shot EVP_Cipher() API are affected; the TLS stack, the streaming EVP_CipherUpdate/EVP_CipherFinal_ex interface, and all FIPS module boundaries are explicitly out of scope.
An unauthenticated remote attacker who can observe or capture traffic encrypted by a vulnerable application can decrypt subsequent messages encrypted under the same key because the effective nonce never changes. If the application also derives authentication tags through the same code path, the attacker can forge valid tags for arbitrary ciphertexts without knowledge of the key, achieving both confidentiality loss and integrity violation.
The referenced commits restore correct IV handling inside the one-shot handler for AES-OCB and confirm that applications must migrate to the documented streaming AEAD interface to avoid the defect. No other configuration changes or work-arounds are described.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35489
Vulnerability details
Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the…
more
IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (2 rules)
- V-248524 OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
- V-248535 The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds. via CWE-325
Oracle Linux 9 (1 rule)
- V-271454 OL 9 must enable FIPS mode. via CWE-325
RHEL 7 (1 rule)
- V-204497 The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
RHEL 8 (1 rule)
- V-230223 RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
Ubuntu 22.04 (1 rule)
- V-260650 Ubuntu 22.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
Ubuntu 24.04 (1 rule)
- V-270744 Ubuntu 24.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325