Bug 2430390 (CVE-2026-22796) - CVE-2026-22796 openssl: OpenSSL: Denial of Service via type confusion in PKCS#7 signature verification
Summary: CVE-2026-22796 openssl: OpenSSL: Denial of Service via type confusion in PKCS...
Keywords:
Status: NEW
Alias: CVE-2026-22796
Deadline: 2026-01-27
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-16 14:45 UTC by OSIDB Bzimport
Modified: 2026-01-29 22:38 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2026:1601 0 None None None 2026-01-29 20:11:06 UTC
Red Hat Product Errata RHBA-2026:1605 0 None None None 2026-01-29 22:38:40 UTC
Red Hat Product Errata RHSA-2026:1472 0 None None None 2026-01-28 08:56:47 UTC
Red Hat Product Errata RHSA-2026:1473 0 None None None 2026-01-28 09:54:18 UTC

Description OSIDB Bzimport 2026-01-16 14:45:00 UTC 
Severity: Low

Issue summary: A type confusion vulnerability exists in the signature
verification of signed PKCS#7 data where an ASN1_TYPE union member is
accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data.

Impact summary: An application performing signature verification of PKCS#7
data or calling directly the PKCS7_digest_from_attributes() function can be
caused to dereference an invalid or NULL pointer when reading, resulting in
a Denial of Service.

The function PKCS7_digest_from_attributes() accesses the message digest attribute
value without validating its type. When the type is not V_ASN1_OCTET_STRING,
this results in accessing invalid memory through the ASN1_TYPE union, causing
a crash.

Exploiting this vulnerability requires an attacker to provide a malformed
signed PKCS#7 to an application that verifies it. The impact of the
exploit is just a Denial of Service, the PKCS7 API is legacy and applications
should be using the CMS API instead. For these reasons the issue was
assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module
boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.6 users should upgrade to OpenSSL 3.6.1.

OpenSSL 3.5 users should upgrade to OpenSSL 3.5.5.

OpenSSL 3.4 users should upgrade to OpenSSL 3.4.4.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.6.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.19.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1ze.
(premium support customers only).

OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zn.
(premium support customers only).
Comment 2 errata-xmlrpc 2026-01-28 08:56:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1472 https://access.redhat.com/errata/RHSA-2026:1472
Comment 3 errata-xmlrpc 2026-01-28 09:54:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1473 https://access.redhat.com/errata/RHSA-2026:1473
Note You need to log in before you can comment on or make changes to this bug.