SB20260610125 - Fedora 44 update for openssl
Published: June 10, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-45447)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the PKCS7_verify() function when processing a specially crafted PKCS#7 or S/MIME signed message during PKCS#7 signature verification. A remote attacker can send a specially crafted signed message to execute arbitrary code.
Applications using the CMS APIs for this processing are not affected.
2) Input validation error (CVE-ID: CVE-2026-34182)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass integrity validation.
The vulnerability exists due to improper input validation in CMS AuthEnvelopedData processing when decrypting crafted AuthEnvelopedData containers. A remote attacker can send a specially crafted CMS message to bypass integrity validation.
In some cases, if the application exposes decryption success or failure, the issue can be used as an oracle to obtain key-equivalent functionality for the content-encryption key.
3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-34183)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled memory allocation in the QUIC PATH_CHALLENGE handler when processing floods of PATH_CHALLENGE frames. A remote attacker can send a flood of PATH_CHALLENGE frames to cause a denial of service.
The issue affects applications acting as a QUIC client or server.
4) NULL pointer dereference (CVE-ID: CVE-2026-42764)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to NULL pointer dereference in QUIC server initial packet handling when processing an initial packet with an invalid or expired token. A remote attacker can send a crafted initial packet to cause a denial of service.
The issue is reachable only when address validation is disabled, such as when SSL_LISTENER_FLAG_NO_VALIDATE is used with SSL_new_listener().
5) Improper Initialization (CVE-ID: CVE-2026-45445)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to forge arbitrary ciphertext.
The vulnerability exists due to improper initialization in the AES-OCB EVP_Cipher() one-shot path when processing AES-OCB operations through the public EVP_Cipher() interface. A local user can invoke the one-shot API on an AES-OCB context to forge arbitrary ciphertext.
Only applications that combine AES-OCB with the EVP_Cipher() one-shot API are affected; applications using the documented streaming AEAD API are not affected.
6) Heap-based buffer overflow (CVE-ID: CVE-2026-7383)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in ASN1_mbstring_copy() and ASN1_mbstring_ncopy() when converting attacker-controlled multibyte strings to Unicode output. A local user can supply extremely large crafted input to execute arbitrary code.
Triggering the issue requires direct use of ASN1_mbstring_copy() or ASN1_mbstring_ncopy(), or a custom string type registered via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more.
7) Out-of-bounds read (CVE-ID: CVE-2026-9076)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in kek_unwrap_key() when processing attacker-supplied CMS password-based decryption data with a stream-mode KEK cipher. A remote attacker can send a specially crafted CMS message to cause a denial of service.
No password knowledge is required because the over-read occurs during the unwrap attempt before authentication succeeds.
8) Out-of-bounds read (CVE-ID: CVE-2026-34180)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to integer truncation in the ASN.1 decoder when parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length. A remote attacker can supply crafted ASN.1 input to disclose sensitive information.
The issue affects only 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected.
9) Input validation error (CVE-ID: CVE-2026-34181)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to impersonate a user.
The vulnerability exists due to improper input validation in PKCS#12 file processing for PBMAC1 integrity verification when processing unencrypted PKCS#12 files with a one-byte HMAC key. A remote attacker can submit a crafted PKCS#12 file to impersonate a user.
The forged file is accepted with a 1 in 256 probability.
10) NULL pointer dereference (CVE-ID: CVE-2026-42766)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to NULL pointer dereference in password-based CMS decryption when processing a specially crafted CMS message with an absent PasswordRecipientInfo.keyDerivationAlgorithm field. A remote attacker can send a specially crafted CMS message to cause a denial of service.
Applications that process password-encrypted CMS messages may be affected.
11) NULL pointer dereference (CVE-ID: CVE-2026-42767)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to NULL pointer dereference in CRMF EncryptedValue decryption when processing a crafted CMP response containing an EncryptedValue structure with an algorithm OID but no parameters field. A remote attacker can send a crafted CMP response to cause a denial of service.
The issue can be triggered by an attacker-controlled CMP server or a man-in-the-middle.
12) Observable discrepancy (CVE-ID: CVE-2026-42768)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to decrypt or sign messages with the victim's private RSA key.
The vulnerability exists due to observable discrepancy in error handling in CMS_decrypt() and PKCS7_decrypt() when processing attacker-supplied CMS or S/MIME messages and exposing decryption errors or output differences. A remote attacker can send crafted messages and observe the application's responses to decrypt or sign messages with the victim's private RSA key.
The attack requires the application to expose the error code and/or decryption output in a way that can be observed by the attacker.
13) Improper Certificate Validation (CVE-ID: CVE-2026-42769)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to replace the root CA certificate trusted by CMP clients.
The vulnerability exists due to improper certificate validation in OSSL_CMP_get1_rootCaKeyUpdate() when processing id-it-rootCaKeyUpdate CMP messages. A remote user can send a crafted CMP root CA key update message to replace the root CA certificate trusted by CMP clients.
Exploitation requires credentials that satisfy the CMP message protection checks.
14) Input validation error (CVE-ID: CVE-2026-42770)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to recover the victim's private key.
The vulnerability exists due to improper input validation in EVP_PKEY_derive_set_peer() when validating a DHX (X9.42) peer key using the peer-supplied q parameter for subgroup membership checks. A remote attacker can present a forged DHX peer key to recover the victim's private key.
The realistic attack surface is narrow and is principally limited to deployments using long-lived X9.42 DHX static keys with interactive protocols.
15) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-45446)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to forge empty messages with arbitrary additional authenticated data.
The vulnerability exists due to incorrect tag processing in the AES-GCM-SIV and AES-SIV provider implementations when decrypting messages with empty ciphertext and supplied additional authenticated data. A remote attacker can send a crafted message with empty ciphertext and a forged tag to forge empty messages with arbitrary additional authenticated data.
The issue is reachable only in applications that implement their own protocol with the EVP interface and skip the ciphertext update when a message with empty ciphertext arrives.
Remediation
Install update from vendor's website.