CVE-2026-9076
Analyzed Analyzed - Analysis Complete

OpenSSL CMS Key Unwrap Heap Out-of-Bounds Read

Publication date: 2026-06-09

Last updated on: 2026-06-16

Assigner: OpenSSL Software Foundation

Description
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-16
Generated
2026-06-30
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-9076
EUVD
EUVD-2026-35475

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
openssl openssl From 1.0.2 (inc) to 1.0.2zq (exc)
openssl openssl From 1.1.1 (inc) to 1.1.1zh (exc)
openssl openssl From 3.0.0 (inc) to 3.0.21 (exc)
openssl openssl From 3.4.0 (inc) to 3.4.6 (exc)
openssl openssl From 3.5.0 (inc) to 3.5.7 (exc)
openssl openssl From 3.6.0 (inc) to 3.6.3 (exc)
openssl openssl 4.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability causes a heap buffer over-read that may lead to a denial of service (DoS) by crashing the application processing attacker-supplied CMS data. However, it does not result in information disclosure or unauthorized access to sensitive data.

Since there is no information disclosure or compromise of data confidentiality or integrity, the vulnerability does not directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal and sensitive information.

Nevertheless, the potential for denial of service could affect availability, which is a component of security standards. Organizations relying on vulnerable OpenSSL CMS decryption functions should consider this risk in their overall security posture and incident response planning.

Detection Guidance

This vulnerability occurs during the processing of attacker-supplied CMS data using password-based decryption functions such as CMS_decrypt() or CMS_decrypt_set1_password() in OpenSSL. Detection involves monitoring or testing for attempts to decrypt CMS data with unusual or attacker-chosen stream-mode KEK ciphers that could trigger the heap out-of-bounds read.

Since the vulnerability is triggered by malformed CMS data and specific cipher selections, one practical detection method is to analyze CMS decryption attempts in logs or to fuzz test the CMS decryption functionality with crafted inputs that use stream-mode ciphers in the PWRI keyEncryptionAlgorithm.

There are no specific built-in commands mentioned in the provided context to detect this vulnerability directly on a network or system.

However, to check if your OpenSSL version is vulnerable, you can verify the OpenSSL version installed and whether it includes the fix for this issue (commits referenced in Resources 1-5). For example, run:

  • openssl version

To test the vulnerability, you could attempt to decrypt CMS data with a crafted payload using the openssl cms command line tool with the -decrypt and -pwri_password options, but this requires creating malicious CMS data that triggers the issue, which is non-trivial and not provided here.

Executive Summary

This vulnerability occurs in the CMS password-based decryption process when handling attacker-supplied CMS data. Specifically, an attacker can choose a stream-mode KEK cipher that causes a heap out-of-bounds read in the function kek_unwrap_key().

The key unwrapping function reads 7 bytes from a heap allocation based on the wrapped key length. However, the cipher used is selected by the attacker without requiring it to be a block cipher. If a stream-mode cipher is chosen, the allocated buffer may be too small, leading to a buffer over-read.

This over-read happens during the unwrap attempt before any authentication, and no password knowledge is needed. Although the over-read is limited to a few bytes and does not disclose information, it can cause a crash if the buffer borders unmapped memory.

Impact Analysis

The primary impact of this vulnerability is a potential Denial of Service (DoS) condition. A heap buffer over-read may cause the application to crash if the input buffer ends at a memory page boundary and the following page is unmapped.

There is no information disclosure because the over-read bytes are not revealed to the attacker. However, the crash can disrupt the availability of the affected application.

Mitigation Strategies

Applications that call CMS_decrypt() or CMS_decrypt_set1_password() on untrusted CMS data are vulnerable to this issue.

Since the vulnerability is triggered by attacker-supplied CMS data using a stream-mode KEK cipher, immediate mitigation steps include avoiding processing untrusted CMS data with these functions.

Additionally, ensure that your OpenSSL version is updated once a fix is released, as the issue is related to the CMS password-based decryption implementation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart