CVE-2026-42771
Analyzed Analyzed - Analysis Complete

Out of Bounds Read in OpenSSL X509 Email Validation

Publication date: 2026-06-09

Last updated on: 2026-06-16

Assigner: OpenSSL Software Foundation

Description
Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate the data read to the attacker so the most likely result is a crash and a Denial of Service. An internal helper function called from X509_VERIFY_PARAM_[set|add]_email() used a wrong length when validating the local part of an email address. This could cause the 64 octet limit on the local part of an email address to be not enforced, or cause an out of bound read and potentially a crash. The bug is reachable via S-MIME validation with a crafted From: address supplied in an email message that can potentially cause a crash. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-16
Generated
2026-06-30
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-42771
EUVD
EUVD-2026-35488

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openssl openssl 4.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs when the function X509_VERIFY_PARAM_set1_email is called to validate a crafted email address, such as during S/MIME message validation. An internal helper function used by this call incorrectly handles the length of the local part of the email address, which can lead to an out of bounds read.

Specifically, the 64 octet limit on the local part of the email address may not be enforced properly, causing the function to read beyond the intended memory boundary. This can result in a crash or denial of service when processing a specially crafted From: address in an email message.

Impact Analysis

The primary impact of this vulnerability is a potential crash of the application performing the email validation, leading to a denial of service (DoS).

Since the out of bounds read does not directly expose or exfiltrate data to an attacker, the main risk is service interruption rather than data leakage.

Compliance Impact

This vulnerability causes an out of bounds read that can lead to a crash and Denial of Service during S/MIME message validation. However, it does not directly result in data exfiltration or compromise of confidentiality or integrity.

Since the vulnerability does not expose or leak sensitive data, it is unlikely to directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

Nevertheless, the potential for Denial of Service could affect availability, which is also a component of these standards. Organizations relying on S/MIME validation might experience service disruptions, which could indirectly affect compliance if availability requirements are not met.

Mitigation Strategies

To mitigate this vulnerability, avoid processing or validating S/MIME messages with crafted From: email addresses that could trigger the out of bounds read.

Since the issue occurs during calls to X509_VERIFY_PARAM_set1_email or related functions, updating OpenSSL to a version where this bug is fixed is recommended.

Additionally, monitor applications that perform S/MIME validation for crashes or Denial of Service symptoms.

Detection Guidance

This vulnerability occurs during S/MIME message validation when a crafted email address is processed, potentially causing a crash or denial of service due to an out of bounds read.

To detect this vulnerability on your system, you can monitor for crashes or abnormal behavior in applications that perform S/MIME validation using OpenSSL, especially when processing emails with unusual or crafted From: addresses.

There are no specific commands provided in the available resources to directly detect this vulnerability on your network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42771. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart