Bug 2481882 (CVE-2026-34181) - CVE-2026-34181 openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys [NEEDINFO]
Summary: CVE-2026-34181 openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMA...
Keywords:
Status: NEW
Alias: CVE-2026-34181
Deadline: 2026-06-09
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 13:55 UTC by OSIDB Bzimport
Modified: 2026-06-19 03:20 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
hyoskim: needinfo? (prodsec-dev)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2026:26057 0 None None None 2026-06-15 20:24:46 UTC
Red Hat Product Errata RHBA-2026:26059 0 None None None 2026-06-15 20:50:07 UTC
Red Hat Product Errata RHBA-2026:26280 0 None None None 2026-06-16 12:32:30 UTC
Red Hat Product Errata RHBA-2026:26291 0 None None None 2026-06-16 11:56:14 UTC
Red Hat Product Errata RHBA-2026:26303 0 None None None 2026-06-16 12:09:35 UTC
Red Hat Product Errata RHBA-2026:26394 0 None None None 2026-06-16 15:18:45 UTC
Red Hat Product Errata RHBA-2026:26554 0 None None None 2026-06-17 13:40:23 UTC
Red Hat Product Errata RHBA-2026:27072 0 None None None 2026-06-18 10:41:53 UTC
Red Hat Product Errata RHSA-2026:25237 0 None None None 2026-06-11 12:31:57 UTC
Red Hat Product Errata RHSA-2026:25239 0 None None None 2026-06-11 12:34:27 UTC

Description OSIDB Bzimport 2026-05-27 13:55:57 UTC 
PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys

PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys (CVE-2026-34181)
Severity: Low

Issue Summary: The PKCS#12 file processing fails to perform sufficient input
validation for files that use Password-Based Message Authentication Code 1
(PBMAC1) integrity mechanism allowing a certificate and private key forgery.

Impact Summary: An attacker impersonating a user can cause a service reading
PKCS#12 files to accept forged certificates and private keys with a 1 in 256
probability.

If a service accepting PKCS#12 files is using passwords for authenticating
the received files, the attacker can create unencrypted PKCS#12 files that
use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing
them to craft a file that will be accepted with a 1 in 256 probability.
That would then cause the service to accept a certificate and private key
controlled by the attacker.

The FIPS modules are not affected by this issue, as the affected code is
outside the OpenSSL FIPS module boundary.

OpenSSL 4.0, 3.6, 3.5, and 3.4 are vulnerable to this issue.

OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do
not support PBMAC1 in PKCS#12.

OpenSSL 4.0 users should upgrade to OpenSSL 4.0.1.
OpenSSL 3.6 users should upgrade to OpenSSL 3.6.3.
OpenSSL 3.5 users should upgrade to OpenSSL 3.5.7.
OpenSSL 3.4 users should upgrade to OpenSSL 3.4.6.

This issue was reported on 2nd March 2026 by Pavol Žáčik (Red Hat).
This issue was also reported on 16th April 2026 by Alex Gaynor (Anthropic).

The fix has been developed by Alicja Kario (Red Hat).
Comment 2 errata-xmlrpc 2026-06-11 12:31:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:25237 https://access.redhat.com/errata/RHSA-2026:25237
Comment 3 errata-xmlrpc 2026-06-11 12:34:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:25239 https://access.redhat.com/errata/RHSA-2026:25239
Note You need to log in before you can comment on or make changes to this bug.