Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45446

CVE-2026-45446: OpenSSL Authentication Bypass Vulnerability

CVE-2026-45446 is an authentication bypass vulnerability in OpenSSL's AES-SIV and AES-GCM-SIV cipher implementations that allows attackers to forge messages with arbitrary AAD. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-45446 Overview

CVE-2026-45446 is a cryptographic flaw in OpenSSL's provider implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452). The implementations mishandle authentication of Additional Authenticated Data (AAD) when the ciphertext is empty. An attacker can forge messages containing arbitrary AAD and an all-zeros authentication tag that pass verification without knowledge of the key. AES-SIV has been present since OpenSSL 3.0, and AES-GCM-SIV since OpenSSL 3.2. No OpenSSL-native protocols (TLS, CMS, PKCS7, HPKE, QUIC) use these ciphers, so exploitation requires an application using the EVP interface with a custom protocol. The OpenSSL FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected.

Critical Impact

Attackers can forge empty-ciphertext messages with arbitrary AAD that authenticate successfully under any key, breaking the integrity guarantees of AES-GCM-SIV and AES-SIV nonce-misuse-resistant AEAD modes.

Affected Products

  • OpenSSL 3.0 and later (AES-SIV implementation)
  • OpenSSL 3.2 and later (AES-GCM-SIV implementation)
  • Applications using the EVP interface with custom protocols built on AES-SIV or AES-GCM-SIV

Discovery Timeline

  • 2026-06-09 - OpenSSL publishes security advisory and patches
  • 2026-06-09 - CVE-2026-45446 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-45446

Vulnerability Analysis

AES-SIV and AES-GCM-SIV are nonce-misuse-resistant Authenticated Encryption with Associated Data (AEAD) modes. They accept a key, nonce, optional AAD, and plaintext, producing ciphertext and a 16-byte authentication tag. On decryption, EVP_DecryptFinal_ex() should return success only when the tag verifies correctly.

In OpenSSL's provider implementation, the expected tag is computed only when the decryption update function is invoked with non-empty data. If the caller supplies AAD and then calls EVP_DecryptFinal_ex() without invoking the ciphertext update, the tag computation never occurs. The tag field retains its initialized all-zeros value, which the verification routine then compares against the attacker-supplied all-zeros tag.

The weakness is classified under [CWE-325] Missing Cryptographic Step.

Root Cause

The cipher_aes_gcm_siv_hw.c and cipher_aes_siv.c provider modules fail to reset or recompute the authentication tag when a zero-length ciphertext path is taken. The internal ctx->tag buffer remains at its all-zeros initial state, and the generated_tag flag is not properly cleared between operations. This allows the verification step to succeed against a forged all-zeros tag.

Attack Vector

For AES-GCM-SIV, an attacker sends arbitrary AAD, empty ciphertext, and an all-zeros 16-byte tag. Verification passes under any unknown key in a single-shot operation. For AES-SIV, exploitation additionally requires the target application to reuse the decryption context without resetting the key between operations. The application must implement its own protocol via the EVP interface and skip the ciphertext update when an empty-ciphertext message is received.

c
// Patch from providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c
// Resets generated_tag flag and zeroes the tag buffer during init
     memset(&data, 0, sizeof(data));
     memcpy(&data.block[sizeof(data.counter)], ctx->nonce, NONCE_SIZE);
 
+    ctx->generated_tag = 0;
+    memset(ctx->tag, 0, TAG_SIZE);
+
     /* msg_auth_key is always 16 bytes in size, regardless of AES128/AES256 */
     /* counter is stored little-endian */
     for (i = 0; i < BLOCK_SIZE; i += 8) {

Source: OpenSSL Commit 25b32cd9

c
// Patch from providers/implementations/ciphers/cipher_aes_siv.c
// Adds SIV128_CONTEXT pointer for proper state reset handling
     PROV_AES_SIV_CTX *ctx = (PROV_AES_SIV_CTX *)vctx;
     const OSSL_PARAM *p;
     unsigned int speed = 0;
+    SIV128_CONTEXT *sctx = &ctx->siv;
 
     if (ossl_param_is_empty(params))
         return 1;

Source: OpenSSL Commit 7fe3f33a

Detection Methods for CVE-2026-45446

Indicators of Compromise

  • Application logs showing successful decryption of messages with empty ciphertext payloads under AES-SIV or AES-GCM-SIV
  • Repeated authentication successes from unexpected sources where the authentication tag field is all zeros (16 bytes of 0x00)
  • Anomalous protocol messages containing AAD with zero-length ciphertext fields

Detection Strategies

  • Inventory all applications linking against OpenSSL 3.0 or later and identify those calling EVP_EncryptInit_ex or EVP_DecryptInit_ex with cipher names aes-128-siv, aes-256-siv, aes-128-gcm-siv, or aes-256-gcm-siv.
  • Perform static analysis on application source code to locate paths that call EVP_DecryptFinal_ex() without preceding EVP_DecryptUpdate() calls when ciphertext length is zero.
  • Audit network captures for protocol messages where the authentication tag equals 16 bytes of zeros, particularly when accompanied by non-empty AAD.

Monitoring Recommendations

  • Add runtime telemetry around custom AEAD protocol handlers to log decryption operations involving zero-length ciphertext and capture the supplied tag value.
  • Track installed OpenSSL library versions across endpoints and servers to identify hosts still running vulnerable builds.
  • Correlate application authentication anomalies with cryptographic library version data to detect possible forgery attempts.

How to Mitigate CVE-2026-45446

Immediate Actions Required

  • Identify all applications using AES-SIV or AES-GCM-SIV via OpenSSL's EVP interface and upgrade to the patched OpenSSL release listed in the OpenSSL Security Advisory.
  • Audit custom protocol implementations to ensure they do not skip EVP_DecryptUpdate() when handling empty-ciphertext messages.
  • Reject inbound messages containing all-zero authentication tags at the application protocol layer until patches are deployed.

Patch Information

The OpenSSL project published fixes in multiple commits to providers/implementations/ciphers/cipher_aes_gcm_siv_hw.c and providers/implementations/ciphers/cipher_aes_siv.c. The fixes reset ctx->generated_tag and zero the ctx->tag buffer during context initialization, ensuring stale all-zero tag state cannot satisfy verification. Refer to the OpenSSL Security Advisory dated 2026-06-09 for the full list of fixed versions and patch commits including 25b32cd9, 71e2a5d2, 7fe3f33a, daca0f48, and eec5e9bf.

Workarounds

  • Switch affected applications to alternative AEAD modes such as AES-GCM or ChaCha20-Poly1305 until patched OpenSSL builds are deployed.
  • Modify application code to reject messages with zero-length ciphertext before invoking EVP_DecryptFinal_ex().
  • For AES-SIV usage, ensure the decryption context is reset with a fresh key for every message rather than reused across operations.
bash
# Verify installed OpenSSL version and rebuild applications after patching
openssl version -a

# Example application-side guard against empty-ciphertext forgery
# Pseudocode: reject the message before reaching EVP_DecryptFinal_ex
if (ciphertext_len == 0) {
    log_event("reject: empty ciphertext under AES-SIV/AES-GCM-SIV");
    return AUTH_FAILURE;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne