CVE-2026-9076
Published: 09 June 2026
Summary
CVE-2026-9076 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Openssl Openssl. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2026-9076 is a heap out-of-bounds read in OpenSSL's CMS password-based decryption code path. When processing attacker-supplied CMS data that uses RFC 3211 PWRI key unwrap, the kek_unwrap_key() function selects the KEK cipher from an OID in the message's keyEncryptionAlgorithm field. If that cipher is a stream-mode algorithm rather than a block cipher, the minimum-length guard based on block size becomes ineffective, allowing a read of seven check bytes from a heap buffer that may be too small for the wrapped key length declared in the message.
An unauthenticated remote attacker can trigger the flaw by sending a crafted CMS structure to any application that calls CMS_decrypt() or CMS_decrypt_set1_password() (or the equivalent openssl cms -decrypt -pwri_password command) on untrusted input. The resulting over-read is limited to a few bytes and produces no information disclosure, but it can cause a crash and denial of service when the allocation borders an unmapped page. No password knowledge is required, as the over-read occurs before any authentication check.
The referenced OpenSSL commits (05b0663, 3d8d5bc, 715349a, 77bf00a, and eecbe33) contain the corrective changes. The FIPS modules are unaffected, and the CVSS 7.5 score reflects the high availability impact with network-reachable, low-complexity attack conditions. The current EPSS of 0.0010 shows no material increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35475
Vulnerability details
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which…
more
leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of OpenSSL CMS_decrypt() on untrusted input directly enables T1190; resulting heap over-read produces application crash/DoS matching T1499.004.
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.