CVE-2026-45446
Awaiting Analysis Awaiting Analysis - Queue
Authentication Bypass in OpenSSL AES-SIV and AES-GCM-SIV

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: OpenSSL Software Foundation

Description
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45446
EUVD
EUVD-2026-35490
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openssl openssl 3.0
openssl openssl 3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-325 The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to forge empty messages with arbitrary Additional Authenticated Data (AAD) when using AES-SIV and AES-GCM-SIV implementations in OpenSSL. This could potentially lead to integrity issues in applications relying on these ciphers for authentication.

However, the CVE description does not provide specific information on how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects the implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) in OpenSSL. These are encryption modes designed to be resistant to nonce misuse and provide authenticated encryption with additional authenticated data (AAD). The issue arises when the ciphertext is empty but AAD is present.

In OpenSSL's implementation, the authentication tag is only recalculated during decryption if there is non-empty ciphertext data. If the ciphertext is empty, the tag remains at an all-zeros value and is not updated, which allows an attacker to forge messages with arbitrary AAD and empty ciphertext that will pass authentication.

For AES-GCM-SIV, an attacker can send arbitrary AAD with empty ciphertext and an all-zeros tag to successfully authenticate a message without knowing the key. For AES-SIV, the attack requires the application to reuse the decryption context without resetting the key.

This vulnerability only affects applications that implement their own protocols using these ciphers via the EVP interface and that skip the ciphertext update when receiving empty ciphertext messages. OpenSSL protocols like TLS, CMS, PKCS7, HPKE, and QUIC do not use these ciphers and are not affected.

Impact Analysis

This vulnerability allows an attacker to forge authenticated messages with empty ciphertext and arbitrary additional authenticated data (AAD). This means an attacker can create messages that appear valid and authenticated to the victim's application without knowing the encryption key.

Such forged messages could potentially be accepted by the application, leading to unauthorized actions or data manipulation depending on how the application processes these messages.

However, the impact is limited to applications that use AES-SIV or AES-GCM-SIV ciphers via OpenSSL's EVP interface and that handle empty ciphertext messages without proper checks. Standard OpenSSL protocols are not affected.

Mitigation Strategies

To mitigate this vulnerability, avoid using AES-SIV and AES-GCM-SIV cipher implementations in OpenSSL versions 3.0 and 3.2 respectively, especially in applications that implement their own protocols using the EVP interface.

Ensure that applications do not skip the ciphertext update step when processing messages with empty ciphertext, as this is required to correctly compute the authentication tag.

Use OpenSSL FIPS modules (versions 4.0, 3.6, 3.5, 3.4, and 3.0) if possible, since these are not affected by this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart