By weakness (CWE)
CWE-514: related vulnerabilities
CVEs classified under CWE-514. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
1 published vulnerability
- CVE-2026-42768LOW 3.7
OpenSSL's CMS and S/MIME decryption functions contain a flaw that allows attackers to exploit error messages or decryption output to gradually recover encrypted data or forge signatures. The vulnerability exists in two forms: when no recipient certificate is provided, an attacker can craft a message with multiple encryption layers to probe for valid padding patterns; when a certificate is provided but doesn't match, OpenSSL substitutes a random key, which an attacker can use to compare results and refine attacks. The practical risk is low because exploiting it requires the victim's application to expose detailed error codes or decryption results to an untrusted attacker, a scenario OpenSSL's developers consider very unlikely in real-world deployments.