Cyber Resilience

CVE-2026-9076

HighUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0030 21.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-9076 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Openssl Openssl. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2026-9076 is a heap out-of-bounds read in OpenSSL's CMS password-based decryption code path. When processing attacker-supplied CMS data that uses RFC 3211 PWRI key unwrap, the kek_unwrap_key() function selects the KEK cipher from an OID in the message's keyEncryptionAlgorithm field. If that cipher is a stream-mode algorithm rather than a block cipher, the minimum-length guard based on block size becomes ineffective, allowing a read of seven check bytes from a heap buffer that may be too small for the wrapped key length declared in the message.

An unauthenticated remote attacker can trigger the flaw by sending a crafted CMS structure to any application that calls CMS_decrypt() or CMS_decrypt_set1_password() (or the equivalent openssl cms -decrypt -pwri_password command) on untrusted input. The resulting over-read is limited to a few bytes and produces no information disclosure, but it can cause a crash and denial of service when the allocation borders an unmapped page. No password knowledge is required, as the over-read occurs before any authentication check.

The referenced OpenSSL commits (05b0663, 3d8d5bc, 715349a, 77bf00a, and eecbe33) contain the corrective changes. The FIPS modules are unaffected, and the CVSS 7.5 score reflects the high availability impact with network-reachable, low-complexity attack conditions. The current EPSS of 0.0010 shows no material increase.

EU & UK References

Vulnerability details

Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which…

more

leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of OpenSSL CMS_decrypt() on untrusted input directly enables T1190; resulting heap over-read produces application crash/DoS matching T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28386Same product: Openssl Openssl
CVE-2026-34180Same product: Openssl Openssl
CVE-2026-42771Same product: Openssl Openssl
CVE-2026-28388Same product: Openssl Openssl
CVE-2022-4203Same product: Openssl Openssl
CVE-2026-42767Same product: Openssl Openssl
CVE-2025-69421Same product: Openssl Openssl
CVE-2026-42766Same product: Openssl Openssl
CVE-2026-45447Same product: Openssl Openssl
CVE-2026-42764Same product: Openssl Openssl

Affected Assets

openssl
openssl
4.0.0 · 1.0.2 — 1.0.2zq · 1.1.1 — 1.1.1zh · 3.0.0 — 3.0.21

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References