NULL Pointer Dereference in CRMF EncryptedValue Decryption_CVE-2026-42767

5.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Issue summary: An attacker-controlled CMP (Certificate Management Protocol)
server could trigger a NULL pointer dereference in a CMP client application.

Impact summary: A NULL pointer dereference causes a crash of the
application and a Denial of Service.

An attacker controlling a CMP server (or acting as a man-in-the-middle) could
craft a CMP response containing a CRMF (Certificate Request Message Format)
CertRepMessage with an EncryptedValue structure where the symmAlg field
has an algorithm OID but no parameters field. When the OpenSSL CMP client
processes this response, the NULL dereference occurs, causing a crash of
the CMP client.

Applications that process untrusted CMP/CRMF messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.

Basic Information

ID CVE-2026-42767

Source openssl

Published Jun 9, 2026 at 16:03

Modified Jun 9, 2026 at 20:27

Affected Product

Vendor OpenSSL

Product OpenSSL

Version 4.0.0

Affected Versions OpenSSL OpenSSL 4.0.0
OpenSSL OpenSSL 3.6.0
OpenSSL OpenSSL 3.5.0
OpenSSL OpenSSL 3.4.0
OpenSSL OpenSSL 3.0.0

CWE Classification

CWE-476

References

{
    "lastseen": "",
    "description": "Issue summary: An attacker-controlled CMP (Certificate Management Protocol)\nserver could trigger a NULL pointer dereference in a CMP client application.\n\nImpact summary: A NULL pointer dereference causes a crash of the\napplication and a Denial of Service.\n\nAn attacker controlling a CMP server (or acting as a man-in-the-middle) could\ncraft a CMP response containing a CRMF (Certificate Request Message Format)\nCertRepMessage with an EncryptedValue structure where the symmAlg field\nhas an algorithm OID but no parameters field. When the OpenSSL CMP client\nprocesses this response, the NULL dereference occurs, causing a crash of\nthe CMP client.\n\nApplications that process untrusted CMP/CRMF messages may be affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.",
    "published": "2026-06-09T16:03:27.435Z",
    "modified": "2026-06-09T20:27:09.498Z",
    "type": "cve",
    "title": "NULL Pointer Dereference in CRMF EncryptedValue Decryption",
    "source": "openssl",
    "references": "https://openssl-library.org/news/secadv/20260609.txt\nhttps://github.com/openssl/security/commit/b90ff3b1bd33b1c18e6a09936d097c2eddef8873\nhttps://github.com/openssl/security/commit/e6f912907fc2ec82a0fd07aae55172c5e5e3d90d\nhttps://github.com/openssl/security/commit/810b722f772652ad48042bcc7ab07e3414b11d0f\nhttps://github.com/openssl/security/commit/665d5254083affde9982efca7c41dd01cacc8774\nhttps://github.com/openssl/security/commit/61a86a8cd73546c9fea916f3d304c1293e05c046",
    "id": "CVE-2026-42767",
    "bulletinFamily": "",
    "cwe": [
        "CWE-476"
    ],
    "cvelist": null,
    "sourceData": "OpenSSL OpenSSL 4.0.0\nOpenSSL OpenSSL 3.6.0\nOpenSSL OpenSSL 3.5.0\nOpenSSL OpenSSL 3.4.0\nOpenSSL OpenSSL 3.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenSSL",
    "version": "4.0.0",
    "vendor": "OpenSSL",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}