CVE-2026-45445 Overview
CVE-2026-45445 is a cryptographic vulnerability in OpenSSL's AES-OCB provider implementation. When an application drives an AES-OCB context through the EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Every message encrypted under the same key uses the same effective nonce regardless of the caller's IV. This produces catastrophic (key, nonce) reuse and loss of confidentiality. If the same code path computes the authentication tag, the tag depends only on the (key, IV) pair, enabling universal forgery of arbitrary ciphertext from a single captured message. The OpenSSL TLS stack is not affected because AES-OCB is not a TLS cipher suite and libssl does not call EVP_Cipher().
Critical Impact
Applications using AES-OCB through EVP_Cipher() suffer nonce reuse and authentication tag forgery, breaking confidentiality and integrity guarantees of the AEAD construction.
Affected Products
- OpenSSL builds exposing the AES-OCB provider through the EVP_Cipher() one-shot API
- Applications combining AES-OCB with the one-shot EVP_Cipher() interface
- Non-FIPS OpenSSL deployments (FIPS modules 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected because AES-OCB is outside the FIPS module boundary)
Discovery Timeline
- 2026-06-09 - OpenSSL publishes security advisory
- 2026-06-09 - CVE-2026-45445 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-45445
Vulnerability Analysis
The flaw resides in the OCB provider's one-shot cipher handler in providers/implementations/ciphers/cipher_aes_ocb.c. OpenSSL exposes two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and the lower-level one-shot EVP_Cipher(). The streaming handler flushes the application-supplied IV into the OCB context before processing data. The one-shot handler omitted this step. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. This is classified under [CWE-325] (Missing Cryptographic Step).
Root Cause
The one-shot handler did not invoke update_iv() before calling CRYPTO_ocb128_encrypt/decrypt. Without that step, Offset_0 remains zero across encryptions under the same key. A subsequent call to EVP_EncryptFinal_ex() runs the deferred IV setup, which clears the running checksum that should have accumulated over the plaintext. The emitted tag becomes a function of (key, IV) only and validates against any ciphertext produced under that same (key, IV) pair.
Attack Vector
An attacker who captures a single ciphertext plus tag produced by a vulnerable application can forge arbitrary ciphertexts that verify under the same key. Because nonces are effectively constant, two-time-pad style attacks can recover plaintext from pairs of messages encrypted under the same key. Exploitation requires the target application to misuse the documented API by selecting EVP_Cipher() with AES-OCB.
return 0;
}
+ /*
+ * Mirror the streaming handler: refuse if the key has not been set,
+ * and push the buffered IV into the OCB context before any data is
+ * processed. Without this, CRYPTO_ocb128_encrypt/decrypt runs with
+ * Offset_0 = 0 regardless of the caller's IV -- catastrophic
+ * (key, nonce) reuse, and a subsequent EVP_*Final_ex() emits a tag
+ * that is a function of (key, iv) only.
+ */
+ if (!ctx->key_set || !update_iv(ctx)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+ return 0;
+ }
+
if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
return 0;
Source: GitHub OpenSSL Commit #323f0b6e. The patch mirrors the streaming handler by refusing to proceed when the key is unset and pushing the buffered IV into the OCB context before any plaintext is processed.
Detection Methods for CVE-2026-45445
Indicators of Compromise
- Repeated identical ciphertext blocks across messages encrypted under the same key, indicating effective nonce reuse
- Authentication tags that verify successfully against substituted ciphertexts, suggesting tag depends only on (key, IV)
- Application binaries linking against unpatched OpenSSL that call EVP_Cipher() with an EVP_aes_*_ocb() context
Detection Strategies
- Perform static analysis of application source and binaries for symbol references to EVP_Cipher paired with EVP_aes_128_ocb, EVP_aes_192_ocb, or EVP_aes_256_ocb
- Inventory installed OpenSSL versions across servers, build pipelines, and containers and compare against the fixed releases listed in the OpenSSL Security Advisory
- Audit dependency manifests and software bill of materials (SBOM) entries for OpenSSL versions predating the patch commits
Monitoring Recommendations
- Log AES-OCB usage in custom cryptographic services and flag any code path invoking EVP_Cipher() directly
- Monitor build and package registries for new OpenSSL releases and trigger rebuilds of downstream artifacts
- Capture cryptographic library version telemetry from production hosts and alert on hosts still running vulnerable builds
How to Mitigate CVE-2026-45445
Immediate Actions Required
- Upgrade OpenSSL to a fixed release that includes the AES-OCB one-shot IV patch commits referenced in the OpenSSL advisory
- Audit application code to replace EVP_Cipher() calls on AES-OCB contexts with the documented streaming AEAD API: EVP_CipherUpdate() followed by EVP_CipherFinal_ex()
- Treat any data encrypted with vulnerable AES-OCB code paths as compromised and rotate affected keys
Patch Information
The OpenSSL project published fixes across multiple branches. The relevant commits apply update_iv(ctx) on the one-shot path in providers/implementations/ciphers/cipher_aes_ocb.c. See GitHub OpenSSL Commit #323f0b6e, GitHub OpenSSL Commit #787a6dfb, GitHub OpenSSL Commit #7ac47152, GitHub OpenSSL Commit #843c9b94, and GitHub OpenSSL Commit #983d54b5.
Workarounds
- Switch all AES-OCB usage to the documented streaming AEAD interface (EVP_CipherUpdate / EVP_CipherFinal_ex); applications using only this path are not affected
- Temporarily replace AES-OCB with an alternative AEAD such as AES-GCM through the streaming interface until patched OpenSSL is deployed
- Rely on FIPS-mode OpenSSL where possible, since AES-OCB is outside the FIPS module boundary and the FIPS modules are not affected
# Verify the installed OpenSSL version and rebuild dependents after upgrading
openssl version -a
# Identify binaries calling EVP_Cipher (review for AES-OCB usage)
nm -D /path/to/app | grep -E 'EVP_Cipher|EVP_aes_[0-9]+_ocb'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
