Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34182

CVE-2026-34182: OpenSSL CMS Auth Bypass Vulnerability

CVE-2026-34182 is an authentication bypass vulnerability in OpenSSL Cryptographic Message Services that allows attackers to bypass integrity validation and gain key-equivalent functionality. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-34182 Overview

CVE-2026-34182 is a cryptographic vulnerability in OpenSSL's Cryptographic Message Services (CMS) processing. The flaw stems from insufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers. Attackers can substitute the AEAD cipher with an unauthenticated mode such as AES-256-OFB, or reduce the authentication tag length to a single byte. Successful exploitation enables key-equivalent functionality against a CMS recipient or bypass of integrity validation. The FIPS modules are not affected. The vulnerability is classified under [CWE-354: Improper Validation of Integrity Check Value].

Critical Impact

An on-path attacker can re-emit a captured AES-GCM AuthEnvelopedData message with the inner OID rewritten to an unauthenticated keystream mode, causing CMS_decrypt() to return success and enabling an oracle attack that recovers key-equivalent material for the content-encryption key (CEK).

Affected Products

  • OpenSSL CMS implementation (non-FIPS builds)
  • Applications relying on CMS_decrypt() for AuthEnvelopedData integrity validation
  • Software linking against vulnerable OpenSSL versions for S/MIME or CMS message processing

Discovery Timeline

  • 2026-06-09 - OpenSSL publishes security advisory
  • 2026-06-09 - CVE-2026-34182 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-34182

Vulnerability Analysis

The vulnerability resides in crypto/cms/cms_enc.c within OpenSSL's CMS processing path. When parsing an AuthEnvelopedData ASN.1 structure, the code does not validate that the specified content-encryption algorithm is an Authenticated Encryption with Associated Data (AEAD) cipher. The code also accepts arbitrary tag lengths, including zero or one byte, instead of enforcing the AEAD-defined range of 4 to 16 bytes.

An on-path attacker who captures a legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it. The attacker leaves the recipientInfos byte-for-byte intact so the victim's private key still unwraps the genuine CEK. The attacker rewrites the inner OID to AES-256-OFB and supplies a chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success.

Root Cause

The root cause is missing type and bounds enforcement on attacker-controlled algorithm identifiers and tag length fields inside AuthEnvelopedData. The CMS layer trusts the serialized OID and taglen without confirming they correspond to a valid AEAD construction.

Attack Vector

Exploitation requires network access to a CMS recipient that returns any observable success or failure signal after decryption. The attacker uses this signal as a decryption oracle to obtain key-equivalent functionality for the chosen recipient's CEK. A second variant reduces the tag length to one byte, enabling brute-force forgery and integrity bypass against applications that trust CMS_decrypt() to reject modified content.

c
                goto err;
            }
            piv = aparams.iv;
-            if (ec->taglen > 0
-                && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
-                       ec->taglen, ec->tag)
-                    <= 0) {
+
+            if (ec->taglen < 4 || ec->taglen > 16
+                || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) {
                ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR);
                goto err;
            }
+        } else if (auth) {
+            ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM);
+            goto err;
        }
    }
    len = EVP_CIPHER_CTX_get_key_length(ctx);

Source: OpenSSL commit 03c1f4d4. The patch enforces a taglen range of 4 to 16 bytes and rejects non-AEAD ciphers when authenticated content is requested.

Detection Methods for CVE-2026-34182

Indicators of Compromise

  • Inbound CMS or S/MIME messages whose AuthEnvelopedData content-encryption OID resolves to a non-AEAD algorithm such as AES-256-OFB, AES-CBC, or AES-CTR.
  • AuthEnvelopedData containers where the mac field length is shorter than 4 bytes or longer than 16 bytes.
  • Repeated CMS decryption attempts from a single source against the same recipient, indicating oracle probing.

Detection Strategies

  • Parse incoming CMS messages at the gateway and verify the inner content-encryption algorithm against an allowlist of AEAD ciphers (AES-GCM, AES-CCM, ChaCha20-Poly1305).
  • Instrument applications to log CMS_decrypt() outcomes alongside the parsed algorithm OID and tag length for post-hoc analysis.
  • Apply YARA or protocol-aware rules to identify malformed AuthEnvelopedData structures in mail and messaging pipelines.

Monitoring Recommendations

  • Track volume and rate of CMS decryption failures per source identity to surface oracle-style probing.
  • Alert on any application returning verbose decryption status to untrusted senders.
  • Inventory binaries linked against vulnerable OpenSSL versions and monitor for cryptographic library updates.

How to Mitigate CVE-2026-34182

Immediate Actions Required

  • Upgrade OpenSSL to a release containing the fixes referenced in the OpenSSL Security Advisory.
  • Rebuild or relink applications that statically include OpenSSL CMS code paths.
  • Audit exposed services that decrypt CMS or S/MIME messages and suppress decryption status responses to untrusted senders.

Patch Information

OpenSSL released fixes across multiple branches. The relevant upstream commits are 03c1f4d4, 439ed7d2, 7947e6a8, 9fd97f8c, and d2ca86bc. The patches enforce a 4-to-16 byte tag length and reject non-AEAD ciphers in AuthEnvelopedData processing.

Workarounds

  • Switch CMS-dependent workloads to the OpenSSL FIPS module, which is not affected by this issue.
  • Reject AuthEnvelopedData messages at the application layer when the inner OID does not match an approved AEAD algorithm.
  • Strip success or failure indicators from any decryption-facing service response to prevent oracle exploitation until patches are deployed.
bash
# Verify installed OpenSSL version and locate vulnerable binaries
openssl version -a
ldconfig -p | grep -E 'libcrypto|libssl'

# Example: validate that CMS inputs use only AEAD ciphers before processing
openssl cms -cmsout -in suspicious.p7m -inform DER -print | \
    grep -E 'contentEncryptionAlgorithm|OBJECT'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne