CVE-2026-42771
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: OpenSSL Software Foundation

Description
Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate the data read to the attacker so the most likely result is a crash and a Denial of Service. An internal helper function called from X509_VERIFY_PARAM_[set|add]_email() used a wrong length when validating the local part of an email address. This could cause the 64 octet limit on the local part of an email address to be not enforced, or cause an out of bound read and potentially a crash. The bug is reachable via S-MIME validation with a crafted From: address supplied in an email message that can potentially cause a crash. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-42771
EUVD
EUVD-2026-35488
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openssl openssl *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when the function X509_VERIFY_PARAM_set1_email is called to validate a crafted email address, such as during S/MIME message validation. An internal helper function used by this call incorrectly handles the length of the local part of the email address, which can lead to an out of bounds read.

Specifically, the 64 octet limit on the local part of the email address may not be enforced properly, causing the function to read beyond the intended memory boundary. This can result in a crash or denial of service when processing a specially crafted From: address in an email message.

Impact Analysis

The primary impact of this vulnerability is a potential crash of the application performing the email validation, leading to a denial of service (DoS).

Since the out of bounds read does not directly expose or exfiltrate data to an attacker, the main risk is service interruption rather than data leakage.

Compliance Impact

This vulnerability causes an out of bounds read that can lead to a crash and Denial of Service during S/MIME message validation. However, it does not directly result in data exfiltration or compromise of confidentiality or integrity.

Since the vulnerability does not expose or leak sensitive data, it is unlikely to directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

Nevertheless, the potential for Denial of Service could affect availability, which is also a component of these standards. Organizations relying on S/MIME validation might experience service disruptions, which could indirectly affect compliance if availability requirements are not met.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42771. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart