CVE-2026-45445
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: OpenSSL Software Foundation

Description
Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45445
EUVD
EUVD-2026-35489
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openssl openssl to 4.0|end_excluding=3.6|end_excluding=3.5|end_excluding=3.4|end_excluding=3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-325 The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability causes loss of confidentiality due to nonce reuse and allows universal forgery of ciphertext, which compromises data security.

Such a loss of confidentiality can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of sensitive data against unauthorized access and tampering.

However, the vulnerability only affects applications using the AES-OCB cipher with the EVP_Cipher() one-shot API, and not those using the recommended streaming interface or OpenSSL's SSL/TLS implementation.

Executive Summary

This vulnerability occurs when an application uses the AES-OCB cipher with the OpenSSL EVP_Cipher() one-shot interface. In this case, the initialization vector (IV) supplied by the application is silently discarded, causing every message encrypted under the same key to use the same effective nonce.

Because the IV is ignored, the same (key, nonce) pair is reused, which compromises confidentiality. Additionally, if the authentication tag is computed using EVP_EncryptFinal_ex(), the tag depends only on the (key, IV) pair and not on the actual plaintext or ciphertext. This allows an attacker to forge arbitrary ciphertexts from a single captured message.

The issue arises because the one-shot EVP_Cipher() handler does not properly incorporate the IV into the OCB context, unlike the streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) which is not affected. This vulnerability affects only applications that use AES-OCB with the EVP_Cipher() one-shot API.

Impact Analysis

This vulnerability can lead to loss of confidentiality because the same nonce is reused for multiple messages encrypted with the same key, which breaks the security guarantees of AES-OCB encryption.

Furthermore, it enables universal forgery of arbitrary ciphertexts from a single captured message, meaning an attacker can create valid encrypted messages without knowing the encryption key.

However, this vulnerability does not affect OpenSSL's SSL/TLS implementation or applications using the recommended streaming AEAD API, only those using the one-shot EVP_Cipher() interface with AES-OCB.

Mitigation Strategies

To mitigate this vulnerability, avoid using the EVP_Cipher() one-shot interface with the AES-OCB cipher.

Instead, use the documented streaming AEAD API, specifically EVP_CipherUpdate() and EVP_CipherFinal_ex(), which are not affected by this issue.

Also, note that the OpenSSL SSL/TLS implementation and FIPS modules are not affected by this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45445. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart