CVE-2026-45445
Analyzed Analyzed - Analysis Complete

IV Discard in OpenSSL AES-OCB Encryption

Publication date: 2026-06-09

Last updated on: 2026-06-16

Assigner: OpenSSL Software Foundation

Description
Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-16
Generated
2026-06-30
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-45445
EUVD
EUVD-2026-35489

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
openssl openssl From 3.0.0 (inc) to 3.0.21 (exc)
openssl openssl From 3.4.0 (inc) to 3.4.6 (exc)
openssl openssl From 3.5.0 (inc) to 3.5.7 (exc)
openssl openssl From 3.6.0 (inc) to 3.6.3 (exc)
openssl openssl 4.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-325 The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs when an application uses the AES-OCB cipher with the OpenSSL EVP_Cipher() one-shot interface. In this case, the initialization vector (IV) supplied by the application is silently discarded, causing every message encrypted under the same key to use the same effective nonce.

Because the IV is ignored, the same (key, nonce) pair is reused, which compromises confidentiality. Additionally, if the authentication tag is computed using EVP_EncryptFinal_ex(), the tag depends only on the (key, IV) pair and not on the actual plaintext or ciphertext. This allows an attacker to forge arbitrary ciphertexts from a single captured message.

The issue arises because the one-shot EVP_Cipher() handler does not properly incorporate the IV into the OCB context, unlike the streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) which is not affected. This vulnerability affects only applications that use AES-OCB with the EVP_Cipher() one-shot API.

Impact Analysis

This vulnerability can lead to loss of confidentiality because the same nonce is reused for multiple messages encrypted with the same key, which breaks the security guarantees of AES-OCB encryption.

Furthermore, it enables universal forgery of arbitrary ciphertexts from a single captured message, meaning an attacker can create valid encrypted messages without knowing the encryption key.

However, this vulnerability does not affect OpenSSL's SSL/TLS implementation or applications using the recommended streaming AEAD API, only those using the one-shot EVP_Cipher() interface with AES-OCB.

Mitigation Strategies

To mitigate this vulnerability, avoid using the EVP_Cipher() one-shot interface with the AES-OCB cipher.

Instead, use the documented streaming AEAD API, specifically EVP_CipherUpdate() and EVP_CipherFinal_ex(), which are not affected by this issue.

Also, note that the OpenSSL SSL/TLS implementation and FIPS modules are not affected by this vulnerability.

Compliance Impact

This vulnerability causes loss of confidentiality due to nonce reuse and allows universal forgery of ciphertext, which compromises data security.

Such a loss of confidentiality can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of sensitive data against unauthorized access and tampering.

However, the vulnerability only affects applications using the AES-OCB cipher with the EVP_Cipher() one-shot API, and not those using the recommended streaming interface or OpenSSL's SSL/TLS implementation.

Detection Guidance

This vulnerability arises from the use of the EVP_Cipher() one-shot API with AES-OCB in OpenSSL, where the Initialization Vector (IV) is silently discarded, causing nonce reuse and enabling forgery attacks.

Detection on a network or system would involve identifying applications that use OpenSSL's AES-OCB cipher via the EVP_Cipher() one-shot interface rather than the recommended streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex).

Since the vulnerability is specific to the use of EVP_Cipher() with AES-OCB, detection commands would focus on:

  • Checking the OpenSSL version in use to determine if it is vulnerable (versions before the fix commit).
  • Auditing application binaries or source code for usage of EVP_Cipher() with AES-OCB.
  • Monitoring network traffic for repeated ciphertexts or authentication tags that indicate nonce reuse under the same key.

Specific commands might include:

  • To check OpenSSL version: `openssl version`
  • To search for EVP_Cipher usage in source code: `grep -r EVP_Cipher /path/to/source`
  • To monitor network traffic for nonce reuse, use packet capture tools like tcpdump or Wireshark and analyze for repeated nonces or tags in AES-OCB encrypted messages.

However, no direct detection commands or signatures are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45445. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart