CVE-2026-22796 - Medium Severity Vulnerability
Vulnerable Libraries - opensslOpenSSL_1_1_1w, opensslOpenSSL_1_1_1w
opensslOpenSSL_1_1_1w
TLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Vulnerable Source Files (3)
/crypto/openssl/crypto/pkcs7/pk7_doit.c
/crypto/openssl/crypto/pkcs12/p12_kiss.c
/crypto/openssl/crypto/pkcs12/p12_kiss.c
opensslOpenSSL_1_1_1w
TLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Vulnerable Source Files (3)
/crypto/openssl/crypto/pkcs7/pk7_doit.c
/crypto/openssl/crypto/pkcs12/p12_kiss.c
/crypto/openssl/crypto/pkcs12/p12_kiss.c
Found in base branch: stable/4.0
Vulnerability Details
Issue summary: A type confusion vulnerability exists in the signature
verification of signed PKCS#7 data where an ASN1_TYPE union member is
accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data.
Impact summary: An application performing signature verification of PKCS#7
data or calling directly the PKCS7_digest_from_attributes() function can be
caused to dereference an invalid or NULL pointer when reading, resulting in
a Denial of Service.
The function PKCS7_digest_from_attributes() accesses the message digest attribute
value without validating its type. When the type is not V_ASN1_OCTET_STRING,
this results in accessing invalid memory through the ASN1_TYPE union, causing
a crash.
Exploiting this vulnerability requires an attacker to provide a malformed
signed PKCS#7 to an application that verifies it. The impact of the
exploit is just a Denial of Service, the PKCS7 API is legacy and applications
should be using the CMS API instead. For these reasons the issue was
assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
Publish Date: 2026-01-27
URL: CVE-2026-22796
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-27
Fix Resolution: https://github.com/openssl/openssl.git - openssl-3.4.4,https://github.com/openssl/openssl.git - openssl-3.6.1,https://github.com/openssl/openssl.git - openssl-3.0.19,https://github.com/openssl/openssl.git - openssl-3.5.5,https://github.com/openssl/openssl.git - openssl-3.3.6
Step up your Open Source Security Game with Mend here
CVE-2026-22796 - Medium Severity Vulnerability
opensslOpenSSL_1_1_1w
TLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
opensslOpenSSL_1_1_1w
TLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: stable/4.0
Issue summary: A type confusion vulnerability exists in the signature
verification of signed PKCS#7 data where an ASN1_TYPE union member is
accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data.
Impact summary: An application performing signature verification of PKCS#7
data or calling directly the PKCS7_digest_from_attributes() function can be
caused to dereference an invalid or NULL pointer when reading, resulting in
a Denial of Service.
The function PKCS7_digest_from_attributes() accesses the message digest attribute
value without validating its type. When the type is not V_ASN1_OCTET_STRING,
this results in accessing invalid memory through the ASN1_TYPE union, causing
a crash.
Exploiting this vulnerability requires an attacker to provide a malformed
signed PKCS#7 to an application that verifies it. The impact of the
exploit is just a Denial of Service, the PKCS7 API is legacy and applications
should be using the CMS API instead. For these reasons the issue was
assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
Publish Date: 2026-01-27
URL: CVE-2026-22796
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-01-27
Fix Resolution: https://github.com/openssl/openssl.git - openssl-3.4.4,https://github.com/openssl/openssl.git - openssl-3.6.1,https://github.com/openssl/openssl.git - openssl-3.0.19,https://github.com/openssl/openssl.git - openssl-3.5.5,https://github.com/openssl/openssl.git - openssl-3.3.6
Step up your Open Source Security Game with Mend here