Improper Verification of Cryptographic Signature in OpenSSL - CVE-2026-45446
Published: June 10, 2026
Vulnerability identifier: #VU134287
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-45446
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenSSL Software Foundation
Affected software:
OpenSSL
OpenSSL
Detailed vulnerability description
The vulnerability allows a remote attacker to forge empty messages with arbitrary additional authenticated data.
The vulnerability exists due to incorrect tag processing in the AES-GCM-SIV and AES-SIV provider implementations when decrypting messages with empty ciphertext and supplied additional authenticated data. A remote attacker can send a crafted message with empty ciphertext and a forged tag to forge empty messages with arbitrary additional authenticated data.
The issue is reachable only in applications that implement their own protocol with the EVP interface and skip the ciphertext update when a message with empty ciphertext arrives.
How to mitigate CVE-2026-45446
Install security update from vendor's website.