Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenSSL 3.4.0 < 3.4.6 Multiple Vulnerabilities

🗓️ 09 Jun 2026 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 2 Views

OpenSSL prior to 3.4.6 is vulnerable to Bleichenbacher attacks via CMS_decrypt and PKCS7_decrypt.

Related
Refs
Code
ReporterTitlePublishedViews
Family
FreeBSD		OpenSSL -- Multiple vulnerabilities
9 Jun 202600:00
freebsd
FreeBSD		FreeBSD -- Multiple vulnerabilities in OpenSSL
9 Jun 202600:00
freebsd
AlpineLinux		CVE-2026-34180
9 Jun 202616:03
alpinelinux
AlpineLinux		CVE-2026-34181
9 Jun 202616:03
alpinelinux
AlpineLinux		CVE-2026-34182
9 Jun 202616:03
alpinelinux
AlpineLinux		CVE-2026-34183
9 Jun 202616:03
alpinelinux
AlpineLinux		CVE-2026-42766
9 Jun 202616:03
alpinelinux
AlpineLinux		CVE-2026-42767
9 Jun 202616:03
alpinelinux
AlpineLinux		CVE-2026-42768
9 Jun 202616:03
alpinelinux
AlpineLinux		CVE-2026-42769
9 Jun 202616:03
alpinelinux
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(320138);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/10");

  script_cve_id(
    "CVE-2026-7383",
    "CVE-2026-9076",
    "CVE-2026-34180",
    "CVE-2026-34181",
    "CVE-2026-34182",
    "CVE-2026-34183",
    "CVE-2026-42766",
    "CVE-2026-42767",
    "CVE-2026-42768",
    "CVE-2026-42769",
    "CVE-2026-42770",
    "CVE-2026-45445",
    "CVE-2026-45446",
    "CVE-2026-45447"
  );

  script_name(english:"OpenSSL 3.4.0 < 3.4.6 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of OpenSSL installed on the remote host is prior to 3.4.6. It is, therefore, affected by multiple
vulnerabilities as referenced in the 3.4.6 advisory.

  - Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack
    when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or
    decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's
    vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack
    is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without
    providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI)
    without stopping at the first success. An attacker who authors a message with two KTRI entries  the first
    one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext 
    obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the
    application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-
    chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or
    forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is
    provided with the recipient certificate, and the recipient is not found, a random key is substituted. An
    attacker who authors a message and is able to compare both error code and the result of the decryption,
    can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an
    opportunity to mount an attack described in these scenarios. We consider the existence of such application
    very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks,
    when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit
    rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit
    rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the
    symmetric key. This result is deterministic for the ciphertext and the private key. The length of the
    decryption result can happen to match the length of the key of the symmetric cipher that was used for the
    content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks
    valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this
    a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The
    FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing
    happens outside the OpenSSL FIPS module boundary. (CVE-2026-42768)

  - Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in
    ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead
    to a crash or possibly attacker controlled code execution or other undefined behaviour. In
    ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a
    signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING
    (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the
    input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size
    wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes
    past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose
    DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no
    network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug
    requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a
    custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a
    gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6,
    3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module
    boundary. (CVE-2026-7383)

  - Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied
    CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in
    kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of
    Service for an application if the input buffer ends at a memory page boundary and the following page is
    unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The
    key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap
    allocation that is based on the wrapped key length from the message. There is a minimum length check based
    on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the
    attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an
    attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing
    the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can
    happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms
    -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is
    required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-
    read is limited to a few bytes and is not written to output, so there is no information disclosure.
    Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal
    allocator. The FIPS modules are not affected by this issue. (CVE-2026-9076)

  - Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during
    PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap
    corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if
    the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a
    caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in
    a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on
    the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO
    usage patterns, this may result in a crash or other memory corruption. In some application contexts this
    may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME
    signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this
    processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
    issue, as the affected code is outside the OpenSSL FIPS module boundary. (CVE-2026-45447)

  - Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the
    authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such
    messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's
    application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant
    AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and
    plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented
    to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these
    ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the
    caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update,
    which can happen when the received ciphertext length is zero, the tag is never recalculated and still
    holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty
    ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-
    SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context
    without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since
    OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-
    SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP
    interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The
    FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not
    FIPS approved and the affected code is outside the OpenSSL FIPS module boundary. (CVE-2026-45446)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://github.com/openssl/security/commit/05b066366842f930fadd9a6e94df98030af431bb
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4ffa3eb5");
  # https://github.com/openssl/security/commit/1c6908e4fa5fa568752221d8eaf561a809751e5d
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e31f3d47");
  # https://github.com/openssl/security/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e9231e67");
  # https://github.com/openssl/security/commit/5f452bba2c681423d8fcffd120a19b757ee42e3c
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4b7bf8bd");
  # https://github.com/openssl/security/commit/665d5254083affde9982efca7c41dd01cacc8774
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f9fd72f0");
  # https://github.com/openssl/security/commit/777b363b16fcf2153bb3ded39dc3838713667c44
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d39d36e0");
  # https://github.com/openssl/security/commit/79eb76a937e474bb7610a0a3dc57131dc8dc6610
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e81ef9e9");
  # https://github.com/openssl/security/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?29da0321");
  # https://github.com/openssl/security/commit/a541ae8bfe849a30cc885e8780715c0f488e496c
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fb4c750b");
  # https://github.com/openssl/security/commit/ab52d88cb5374876d59aee3c91f9e4ccce2b7ce4
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?abf29aa3");
  # https://github.com/openssl/security/commit/d2ca86bcd43e4f17d899f347101766b6107676e0
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5ee332a1");
  # https://github.com/openssl/security/commit/d2e9efbe4900a373227deb136e8665401404ffac
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fbc02c27");
  # https://github.com/openssl/security/commit/daca0f48e4a69a2892a62262bad59e62a8a76598
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a50f2fe4");
  # https://github.com/openssl/security/commit/dd68364107a58841c0a2546812518b65d3a23abd
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fc66e669");
  script_set_attribute(attribute:"see_also", value:"https://openssl-library.org/news/secadv/20260609.txt");
  # https://openssl-library.org/policies/general/security-policy/index.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eac4598c");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-34180");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-34181");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-34182");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-34183");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-42766");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-42767");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-42768");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-42769");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-42770");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-45445");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-45446");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-45447");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-7383");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-9076");
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSL version 3.4.6 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-42768");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2026-45447");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/09");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("openssl_version.nasl", "openssl_nix_installed.nbin", "openssl_win_installed.nbin");
  script_require_keys("installed_sw/OpenSSL");

  exit(0);
}

include('vcf.inc');
include('vcf_extras_openssl.inc');

var app_info = vcf::combined_get_app_info(app:'OpenSSL');

vcf::check_all_backporting(app_info:app_info);

var constraints = [
  { 'min_version' : '3.4.0', 'fixed_version' : '3.4.6' }
];

vcf::openssl::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING
);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Jun 2026 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.18.8
SSVC
opensslbleichenbacher_attackdecrypt_function_vulnerability
2