CVE-2026-45446
Published: 09 June 2026
Summary
CVE-2026-45446 is a medium-severity Missing Cryptographic Step (CWE-325) vulnerability in Openssl Openssl. Its CVSS base score is 4.8 (Medium).
Operationally, ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability affects OpenSSL's provider implementations of the AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) authenticated encryption modes, present since versions 3.0 and 3.2 respectively. It stems from incorrect handling of Additional Authenticated Data (AAD) when the ciphertext is empty: the tag verification logic in EVP_DecryptFinal_ex only recomputes the expected tag on non-empty data, leaving an all-zeros tag in place and allowing forged messages to pass authentication.
An attacker able to supply crafted inputs to an application using these ciphers through the low-level EVP interface can forge messages containing arbitrary AAD, an empty ciphertext, and a zero tag. For AES-GCM-SIV this succeeds in a single shot under any key; for AES-SIV the attacker must also cause the application to reuse a decryption context without resetting the key. No TLS, CMS, PKCS7, HPKE, or QUIC protocol code inside OpenSSL itself uses these algorithms, so exploitation requires a custom protocol that skips the ciphertext update step on zero-length messages.
The referenced commits (25b32cd9, 71e2a5d2, 7fe3f33a, daca0f48, eec5e9bf) contain the corrective changes. The FIPS module boundaries in OpenSSL 3.0 through 4.0 are unaffected because the algorithms lie outside approved code. The current EPSS of 0.0001 shows no material increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35490
Vulnerability details
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary…
more
AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (2 rules)
- V-248524 OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
- V-248535 The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds. via CWE-325
Oracle Linux 9 (1 rule)
- V-271454 OL 9 must enable FIPS mode. via CWE-325
RHEL 7 (1 rule)
- V-204497 The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
RHEL 8 (1 rule)
- V-230223 RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
Ubuntu 22.04 (1 rule)
- V-260650 Ubuntu 22.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325
Ubuntu 24.04 (1 rule)
- V-270744 Ubuntu 24.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-325