Bug 2481891 (CVE-2026-42767)

Summary: CVE-2026-42767 openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in OpenSSL. An attacker controlling a Certificate Management Protocol (CMP) server, or acting as a man-in-the-middle, could craft a malicious CMP response. This response, containing a Certificate Request Message Format (CRMF) CertRepMessage with a specific malformed EncryptedValue structure, would trigger a NULL pointer dereference in the OpenSSL CMP client. This vulnerability leads to a crash of the application, resulting in a Denial of Service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-06-09   

Description OSIDB Bzimport 2026-05-27 14:19:15 UTC 
NULL Pointer Dereference in CRMF EncryptedValue Decryption

NULL Pointer Dereference in CRMF EncryptedValue Decryption (CVE-2026-42767)
Severity: Low

Issue summary: An attacker-controlled CMP (Certificate Management Protocol)
server could trigger a NULL pointer dereference in a CMP client application.

Impact summary: A NULL pointer dereference causes a crash of the
application and a Denial of Service.

An attacker controlling a CMP server (or acting as a man-in-the-middle) could
craft a CMP response containing a CRMF (Certificate Request Message Format)
CertRepMessage with an EncryptedValue structure where the symmAlg field
has an algorithm OID but no parameters field. When the OpenSSL CMP client
processes this response, the NULL dereference occurs, causing a crash of
the CMP client.

Applications that process untrusted CMP/CRMF messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.

OpenSSL 4.0, 3.6, and 3.5 are vulnerable to this issue.

OpenSSL 1.0.2, 1.1.1, 3.0, and 3.4 are not affected by this issue.

OpenSSL 4.0 users should upgrade to OpenSSL 4.0.1
OpenSSL 3.6 users should upgrade to OpenSSL 3.6.3.
OpenSSL 3.5 users should upgrade to OpenSSL 3.5.7.

This issue was reported by Zhanpeng Liu (Tencent Xuanwu Lab),
Guannan Wang (Tencent Xuanwu Lab) and Guancheng Li (Tencent Xuanwu Lab)
on 27th March 2026. The fix was developed by Igor Ustinov.
Comment 2 errata-xmlrpc 2026-06-11 12:32:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:25237 https://access.redhat.com/errata/RHSA-2026:25237
Comment 3 errata-xmlrpc 2026-06-11 12:34:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:25239 https://access.redhat.com/errata/RHSA-2026:25239