Main Vulnerability Database Vulnerabilities #VU134283

Observable discrepancy in OpenSSL - CVE-2026-42768

Published: June 10, 2026

Vulnerability identifier: #VU134283

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-42768

CWE-ID: CWE-203

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenSSL Software Foundation

Affected software:
OpenSSL

Detailed vulnerability description

The vulnerability allows a remote attacker to decrypt or sign messages with the victim's private RSA key.

The vulnerability exists due to observable discrepancy in error handling in CMS_decrypt() and PKCS7_decrypt() when processing attacker-supplied CMS or S/MIME messages and exposing decryption errors or output differences. A remote attacker can send crafted messages and observe the application's responses to decrypt or sign messages with the victim's private RSA key.

The attack requires the application to expose the error code and/or decryption output in a way that can be observed by the attacker.

How to mitigate CVE-2026-42768

Install security update from vendor's website.

Sources

https://openssl-library.org/news/secadv/20260609.txt

Observable discrepancy in OpenSSL - CVE-2026-42768

Detailed vulnerability description

How to mitigate CVE-2026-42768

Sources

Please verify you're human