CVE-2026-45446
Analyzed Analyzed - Analysis Complete

Authentication Bypass in OpenSSL AES-SIV and AES-GCM-SIV

Publication date: 2026-06-09

Last updated on: 2026-06-16

Assigner: OpenSSL Software Foundation

Description
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-16
Generated
2026-06-30
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-45446
EUVD
EUVD-2026-35490

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
openssl openssl From 3.0.0 (inc) to 3.0.21 (exc)
openssl openssl From 3.4.0 (inc) to 3.4.6 (exc)
openssl openssl From 3.5.0 (inc) to 3.5.7 (exc)
openssl openssl From 3.6.0 (inc) to 3.6.3 (exc)
openssl openssl 4.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-325 The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) in OpenSSL. These are encryption modes designed to be resistant to nonce misuse and provide authenticated encryption with additional authenticated data (AAD). The issue arises when the ciphertext is empty but AAD is present.

In OpenSSL's implementation, the authentication tag is only recalculated during decryption if there is non-empty ciphertext data. If the ciphertext is empty, the tag remains at an all-zeros value and is not updated, which allows an attacker to forge messages with arbitrary AAD and empty ciphertext that will pass authentication.

For AES-GCM-SIV, an attacker can send arbitrary AAD with empty ciphertext and an all-zeros tag to successfully authenticate a message without knowing the key. For AES-SIV, the attack requires the application to reuse the decryption context without resetting the key.

This vulnerability only affects applications that implement their own protocols using these ciphers via the EVP interface and that skip the ciphertext update when receiving empty ciphertext messages. OpenSSL protocols like TLS, CMS, PKCS7, HPKE, and QUIC do not use these ciphers and are not affected.

Impact Analysis

This vulnerability allows an attacker to forge authenticated messages with empty ciphertext and arbitrary additional authenticated data (AAD). This means an attacker can create messages that appear valid and authenticated to the victim's application without knowing the encryption key.

Such forged messages could potentially be accepted by the application, leading to unauthorized actions or data manipulation depending on how the application processes these messages.

However, the impact is limited to applications that use AES-SIV or AES-GCM-SIV ciphers via OpenSSL's EVP interface and that handle empty ciphertext messages without proper checks. Standard OpenSSL protocols are not affected.

Mitigation Strategies

To mitigate this vulnerability, avoid using AES-SIV and AES-GCM-SIV cipher implementations in OpenSSL versions 3.0 and 3.2 respectively, especially in applications that implement their own protocols using the EVP interface.

Ensure that applications do not skip the ciphertext update step when processing messages with empty ciphertext, as this is required to correctly compute the authentication tag.

Use OpenSSL FIPS modules (versions 4.0, 3.6, 3.5, 3.4, and 3.0) if possible, since these are not affected by this issue.

Compliance Impact

The vulnerability allows an attacker to forge empty messages with arbitrary Additional Authenticated Data (AAD) when using AES-SIV and AES-GCM-SIV implementations in OpenSSL. This could potentially lead to integrity issues in applications relying on these ciphers for authentication.

However, the CVE description does not provide specific information on how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability arises from the mishandling of authentication of Additional Authenticated Data (AAD) with empty ciphertext in AES-SIV and AES-GCM-SIV implementations in OpenSSL. Detection involves identifying if your application uses these ciphers with OpenSSL versions 3.0 or later for AES-SIV and 3.2 or later for AES-GCM-SIV.

Since the vulnerability requires the application to use these specific ciphers and to process messages with empty ciphertext without invoking ciphertext update, detection on the network or system would involve monitoring for such usage patterns.

There are no specific commands provided in the available information to detect this vulnerability directly on your network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart