Possible NULL Dereference in Password-Based CMS Decryption

Possible NULL Dereference in Password-Based CMS Decryption (CVE-2026-42766)
Severity: Low

Issue summary: A specially crafted password-encrypted CMS message
can trigger a NULL pointer dereference during CMS decryption.

Impact summary: This NULL pointer dereference leads to an application crash
and a Denial of Service.

The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as
OPTIONAL in the ASN.1 specification and may therefore be absent in specially
crafted inputs. During the password-based CMS decryption the OpenSSL
CMS implementation dereferences this field without first checking whether it
was present.

An attacker who supplies such a CMS message to an application performing
password-based CMS decryption can trigger an application crash, leading to
a Denial of Service.

Applications that process password-encrypted CMS messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.

OpenSSL 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2 are vulnerable to this issue.

OpenSSL 4.0 users should upgrade to OpenSSL 4.0.1
OpenSSL 3.6 users should upgrade to OpenSSL 3.6.3.
OpenSSL 3.5 users should upgrade to OpenSSL 3.5.7.
OpenSSL 3.4 users should upgrade to OpenSSL 3.4.6.
OpenSSL 3.0 users should upgrade to OpenSSL 3.0.21.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1zh
(premium support customers only).
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zq
(premium support customers only).

This issue was reported by Mayank Jangid and Kushal Khemka on 20th April 2026,
independently reported by Hari Priandana on 4th May 2026, by Bhabani Sankar Das
on 15th May 2026, and by Qifan Zhang (Palo Alto Networks) on 18th May 2026.
The fix was developed by Igor Ustinov.