CVE-2026-42767 Overview
CVE-2026-42767 is a NULL pointer dereference vulnerability in the OpenSSL Certificate Management Protocol (CMP) client. An attacker-controlled CMP server, or an attacker performing a man-in-the-middle attack, can send a crafted response that crashes the client application. The flaw stems from improper handling of a Certificate Request Message Format (CRMF) CertRepMessage containing an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. Applications that process untrusted CMP/CRMF messages are affected. The FIPS modules in OpenSSL 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected because the vulnerable code sits outside the FIPS module boundary.
Critical Impact
A remote attacker controlling or intercepting CMP server responses can crash the OpenSSL CMP client, resulting in denial of service for applications relying on CMP for certificate management.
Affected Products
- OpenSSL CMP client implementations processing untrusted CMP/CRMF messages
- Applications using OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() and OSSL_CRMF_ENCRYPTEDVALUE_decrypt() from crypto/crmf/crmf_lib.c
- Non-FIPS OpenSSL branches (FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected)
Discovery Timeline
- 2026-06-09 - CVE-2026-42767 published to NVD
- 2026-06-09 - OpenSSL Security Advisory released with patch commits
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-42767
Vulnerability Analysis
The vulnerability is a NULL pointer dereference [CWE-476] in OpenSSL's CRMF processing code. When an OpenSSL CMP client receives a CertRepMessage from a server, it parses the embedded EncryptedValue structure to decrypt the certificate. The EncryptedValue includes a symmAlg field describing the symmetric algorithm used for encryption. This field follows the AlgorithmIdentifier ASN.1 structure, which contains an algorithm OID and an optional parameters element.
The affected functions, OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() and OSSL_CRMF_ENCRYPTEDVALUE_decrypt() in crypto/crmf/crmf_lib.c, assume the parameters field is present and dereference it without a NULL check. When an attacker omits the parameters element while supplying a valid OID, the client crashes. The result is a denial of service for any application that consumes untrusted CMP responses.
Root Cause
The root cause is missing input validation on optional ASN.1 fields. OpenSSL's CMP client trusts the structure of attacker-controlled EncryptedValue data and reads the symmAlg parameters field without verifying it is non-NULL. Because the parameters element is optional in the ASN.1 grammar, a well-formed message can legitimately omit it, exposing the dereference.
Attack Vector
Exploitation requires the attacker to control a CMP server or to act as a man-in-the-middle on the network path between client and server. No authentication or user interaction is required. The attacker crafts a CMP response containing a CRMF CertRepMessage whose EncryptedValue.symmAlg carries an algorithm OID but no parameters field. The client crashes upon processing the response, terminating the certificate enrollment workflow.
// Patch excerpt from crypto/crmf/crmf_lib.c
// OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert()
EVP_CIPHER *cipher = NULL; /* used cipher */
int cikeysize = 0; /* key size from cipher */
unsigned char *iv = NULL; /* initial vector for symmetric encryption */
+ int iv_len; /* iv length */
unsigned char *outbuf = NULL; /* decryption output buffer */
const unsigned char *p = NULL; /* needed for decoding ASN1 */
int n, outlen = 0;
Source: OpenSSL commit 61a86a8c
// Patch excerpt from crypto/crmf/crmf_lib.c
// OSSL_CRMF_ENCRYPTEDVALUE_decrypt()
EVP_CIPHER *cipher = NULL; /* used cipher */
int cikeysize = 0; /* key size from cipher */
unsigned char *iv = NULL; /* initial vector for symmetric encryption */
+ int iv_len; /* iv length */
unsigned char *out = NULL; /* decryption output buffer */
int n, ret = 0;
EVP_PKEY_CTX *pkctx = NULL; /* private key context */
Source: OpenSSL commit 810b722f
These patches add proper handling of the symmetric algorithm parameters, validating the field before dereference rather than assuming it is populated.
Detection Methods for CVE-2026-42767
Indicators of Compromise
- Unexpected crashes or segmentation faults in applications using OpenSSL CMP client functionality
- Core dumps referencing OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert or OSSL_CRMF_ENCRYPTEDVALUE_decrypt in the call stack
- CMP certificate enrollment workflows failing repeatedly against specific servers
- Anomalous CMP traffic from unexpected upstream hosts or via untrusted network paths
Detection Strategies
- Inspect CMP/CRMF traffic for EncryptedValue structures with a symmAlg OID but missing parameters field
- Monitor host telemetry for repeated process termination of CMP-enabled binaries linked against vulnerable OpenSSL versions
- Correlate TLS interception alerts with CMP enrollment failures to identify man-in-the-middle attempts
Monitoring Recommendations
- Enable verbose logging in CMP client applications to capture decoded EncryptedValue structures
- Track OpenSSL library versions across the fleet and flag hosts running unpatched builds
- Alert on abnormal restart loops of services that perform automated certificate enrollment
How to Mitigate CVE-2026-42767
Immediate Actions Required
- Apply the OpenSSL patches referenced in the June 2026 Security Advisory to all affected branches
- Inventory applications that link against OpenSSL and use the CMP client API to prioritize patching
- Restrict CMP client connectivity to trusted, authenticated certificate management servers only
- Enforce TLS with strict certificate validation on CMP transport channels to mitigate man-in-the-middle attacks
Patch Information
OpenSSL has published fixes across multiple branches. The relevant upstream commits are 61a86a8c, 665d5254, 810b722f, b90ff3b1, and e6f91290. These patches add explicit validation of the symmetric algorithm parameters before use in OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() and OSSL_CRMF_ENCRYPTEDVALUE_decrypt().
Workarounds
- Disable CMP client functionality in applications where certificate enrollment via CMP is not required
- Route CMP traffic only through internal, authenticated channels not exposed to untrusted networks
- Configure network policies to allowlist specific CMP server endpoints and block all others
# Verify installed OpenSSL version and rebuild against a patched library
openssl version -a
# After updating, validate the CMP client links to the patched library
ldd $(which your_cmp_client) | grep -i ssl
# Restrict outbound CMP (typically TCP/829) to known trusted servers
iptables -A OUTPUT -p tcp --dport 829 -d <trusted_cmp_server_ip> -j ACCEPT
iptables -A OUTPUT -p tcp --dport 829 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
