CVE-2026-42767
Awaiting Analysis Awaiting Analysis - Queue
NULL Pointer Dereference in OpenSSL CMP Client

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: OpenSSL Software Foundation

Description
Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-42767
EUVD
EUVD-2026-35484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openssl cmp_client to 4.0|end_excluding=3.6|end_excluding=3.5|end_excluding=3.4|end_excluding=3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the OpenSSL CMP client when it processes a specially crafted CMP response from an attacker-controlled CMP server or a man-in-the-middle. The crafted response contains a CRMF CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but lacks the parameters field. This causes a NULL pointer dereference in the CMP client application.

The NULL pointer dereference leads to a crash of the CMP client application.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS) condition caused by the crash of the CMP client application.

An attacker who controls a CMP server or is positioned as a man-in-the-middle can exploit this vulnerability to disrupt the normal operation of applications that process untrusted CMP/CRMF messages.

Compliance Impact

The vulnerability causes a NULL pointer dereference leading to a denial of service by crashing the CMP client application. While this impacts availability, there is no information provided about data breaches, unauthorized data access, or data integrity issues that would directly affect compliance with standards like GDPR or HIPAA.

Since the issue results in a denial of service rather than data compromise, its impact on compliance with regulations focused on data protection and privacy is limited or indirect.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42767. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart