CVE-2026-42767
Analyzed Analyzed - Analysis Complete

NULL Pointer Dereference in OpenSSL CMP Client

Publication date: 2026-06-09

Last updated on: 2026-06-16

Assigner: OpenSSL Software Foundation

Description
Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-16
Generated
2026-06-30
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-42767
EUVD
EUVD-2026-35484

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
openssl openssl From 3.0.0 (inc) to 3.0.21 (exc)
openssl openssl From 3.4.0 (inc) to 3.4.6 (exc)
openssl openssl From 3.5.0 (inc) to 3.5.7 (exc)
openssl openssl From 3.6.0 (inc) to 3.6.3 (exc)
openssl openssl 4.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in the OpenSSL CMP client when it processes a specially crafted CMP response from an attacker-controlled CMP server or a man-in-the-middle. The crafted response contains a CRMF CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but lacks the parameters field. This causes a NULL pointer dereference in the CMP client application.

The NULL pointer dereference leads to a crash of the CMP client application.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS) condition caused by the crash of the CMP client application.

An attacker who controls a CMP server or is positioned as a man-in-the-middle can exploit this vulnerability to disrupt the normal operation of applications that process untrusted CMP/CRMF messages.

Compliance Impact

The vulnerability causes a NULL pointer dereference leading to a denial of service by crashing the CMP client application. While this impacts availability, there is no information provided about data breaches, unauthorized data access, or data integrity issues that would directly affect compliance with standards like GDPR or HIPAA.

Since the issue results in a denial of service rather than data compromise, its impact on compliance with regulations focused on data protection and privacy is limited or indirect.

Mitigation Strategies

To mitigate this vulnerability, you should update the OpenSSL CMP client to a version that includes the fix for the NULL pointer dereference issue.

The fix involves adding NULL checks before dereferencing the 'parameter' pointer in functions such as OSSL_CRMF_ENCRYPTEDVALUE_decrypt() and OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(), preventing crashes caused by crafted CMP responses.

Avoid processing untrusted CMP/CRMF messages from unknown or untrusted CMP servers until the update is applied.

Detection Guidance

This vulnerability is triggered when a CMP client processes a crafted CMP response containing a CRMF CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field, causing a NULL pointer dereference and crash.

Detection on a network or system would involve monitoring CMP client applications for crashes or denial of service symptoms when processing CMP/CRMF messages, especially those received from untrusted or attacker-controlled CMP servers.

There are no specific commands or signatures provided in the available resources or CVE description to detect this vulnerability directly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42767. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart