NVD - CVE-2026-22796 (original) (raw)
CVE-2026-22796 Detail
Description
Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
N/A
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
ADP: CISA-ADP
Base Score: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
| URL | Source(s) | Tag(s) |
|---|---|---|
| https://cert-portal.siemens.com/productcert/html/ssa-265688.html | siemens-SADP | |
| https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4 | OpenSSL Software Foundation | Patch |
| https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49 | OpenSSL Software Foundation | Patch |
| https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12 | OpenSSL Software Foundation | Patch |
| https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e | OpenSSL Software Foundation | Patch |
| https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2 | OpenSSL Software Foundation | Patch |
| https://openssl-library.org/news/secadv/20260127.txt | OpenSSL Software Foundation | Vendor Advisory |
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | OpenSSL Software Foundation |
Known Affected Software Configurations Switch to CPE 2.2
CPEs loading, please wait.
Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.
Change History
4 change records found show changes
CVE Modified by siemens-SADP 5/12/2026 9:17:32 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://cert-portal.siemens.com/productcert/html/ssa-265688.html |
Initial Analysis by NIST 2/02/2026 1:40:27 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | OR *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (excluding) 3.0.19 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.3.0 up to (excluding) 3.3.6 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.4.0 up to (excluding) 3.4.4 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.5.0 up to (excluding) 3.5.5 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.6.0 up to (excluding) 3.6.1 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.0.2 up to (excluding) 1.0.2zn *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.1.1 up to (excluding) 1.1.1ze | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4 Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49 Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12 Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2 Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://openssl-library.org/news/secadv/20260127.txt Types: Vendor Advisory |
CVE Modified by CISA-ADP 1/27/2026 12:16:12 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
New CVE Received from OpenSSL Software Foundation 1/27/2026 11:16:35 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | |
| Added | CWE | CWE-754 | |
| Added | Reference | https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4 | |
| Added | Reference | https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49 | |
| Added | Reference | https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12 | |
| Added | Reference | https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e | |
| Added | Reference | https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2 | |
| Added | Reference | https://openssl-library.org/news/secadv/20260127.txt |
Quick Info
CVE Dictionary Entry:
CVE-2026-22796
NVD Published Date:
01/27/2026
NVD Last Modified:
05/12/2026
Source:
OpenSSL Software Foundation