Vulnerability Overview
A critical security advisory released by OpenSSL on June 9, 2026, details a severe vulnerability designated CVE-2026-45447 that enables remote code execution. The flaw resides in the PKCS7_verify function as a heap use after free bug. It is triggered when an application processes a specially crafted PKCS7 or S/MIME signed message containing an empty SignedData.digestAlgorithms ASN.1 SET. This causes OpenSSL to free a BIO object owned by the calling application without the application’s awareness. If the application later reuses or frees that same BIO, a use after free condition arises, potentially leading to crashes, heap corruption, or controlled exploitation by an attacker.
Impact and Scope
The vulnerability affects a wide range of OpenSSL versions including 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2. Patched releases are available for each branch: OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, 3.0.21, 1.1.1zh, and 1.0.2zq. Applications using the PKCS7 APIs for signature verification are vulnerable, while those using CMS APIs remain unaffected. The FIPS modules for the affected versions are not impacted. The advisory also notes several additional vulnerabilities of high to moderate severity, including issues in CMS AuthEnvelopedData processing, QUIC denial of service, AES-OCB misuse, and various ASN.1 and PKCS12 parsing bugs. Administrators are strongly urged to upgrade immediately to prevent potential remote code execution attacks.
Source: Cyber Security News
