MEDIUM 5.9

CVE-2026-42767: OpenSSL CMP NULL Pointer Dereference Denial of Service

An OpenSSL vulnerability allows an attacker controlling or intercepting CMP (Certificate Management Protocol) traffic to crash client applications by sending a specially crafted certificate response. The attack exploits a code defect where OpenSSL fails to properly validate a specific field in the response, causing the application to crash and become unavailable. This is a denial-of-service issue, not a data breach or unauthorized access risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42767 is a NULL pointer dereference in OpenSSL's CMP client implementation. The vulnerability occurs when processing a CMP response containing a CRMF CertRepMessage with an EncryptedValue structure where the symmAlg (symmetric algorithm) field contains an OID reference but lacks the required parameters. This missing validation allows the pointer dereference to occur, crashing the process. The flaw is classified as CWE-476 (NULL Pointer Dereference). OpenSSL's FIPS modules (versions 4.0, 3.6, 3.5, 3.4, and 3.0) are unaffected because the vulnerable code lies outside the FIPS module boundary.

Business impact

Organizations running OpenSSL-based CMP clients face availability risk. An attacker with network access to CMP traffic—or controlling a CMP server endpoint—can trigger repeated denial-of-service conditions, disrupting certificate enrollment, renewal, or management workflows. The impact is limited to availability; confidentiality and integrity are not compromised. Affected applications will require restart to recover, potentially disrupting PKI infrastructure operations and delaying certificate lifecycle management.

Affected systems

OpenSSL CMP client implementations are vulnerable. The specific versions affected require confirmation against the OpenSSL security advisory. Applications and services that consume untrusted or internet-facing CMP/CRMF messages are at risk. This includes certificate management tools, PKI orchestration platforms, and any service leveraging OpenSSL's CMP client libraries. Verify your OpenSSL version and whether CMP client functionality is enabled or in use.

Exploitability

Exploitation requires network access to CMP traffic or the ability to act as a man-in-the-middle between client and server, or control of the CMP server itself. The CVSS score of 5.9 (Medium) reflects the network attack vector, high complexity (need for specific message crafting), and no privilege or user interaction requirements. Practical exploitation is limited to environments where an attacker can influence CMP protocol exchanges—a relatively constrained threat model compared to externally facing services.

Remediation

Apply OpenSSL security patches as released by the OpenSSL project. Verify patch availability for your specific OpenSSL version and deployment. In the interim, restrict network access to CMP servers and endpoints, enforce mutual TLS authentication, and monitor CMP client applications for unexpected crashes or restarts. Consider network segmentation to limit exposure of CMP traffic to trusted infrastructure only.

Patch guidance

Consult the OpenSSL security advisory corresponding to CVE-2026-42767 for patch version numbers and availability timelines. Patches should be tested in a non-production environment before deployment. If you manage OpenSSL libraries centrally (e.g., via package managers or vendor distributions), check those channels for patched versions. For embedded or compiled deployments, recompilation from patched source may be required.

Detection guidance

Monitor OpenSSL CMP client processes for abnormal termination or crash patterns, particularly if accompanied by CMP protocol activity logs. Implement alerting on NULL pointer dereference errors in application logs or core dumps. Network-based detection is difficult without deep packet inspection of CMP/CRMF messages; however, detecting unexpected client restarts during CMP operations may signal exploitation attempts. Correlate CMP server logs with client crash events to identify potential attacks.

Why prioritize this

Although rated Medium severity, this vulnerability should be addressed promptly if you operate CMP infrastructure or clients. The attack surface is narrow—limited to CMP implementations—but the impact is reliable and denial-of-service is operationally disruptive to PKI workflows. Organizations with limited CMP dependencies can deprioritize slightly; those relying on OpenSSL-based certificate management should treat this as higher priority within their patching cycle.

Risk score, explained

The CVSS 3.1 score of 5.9 reflects a network-reachable vulnerability (AV:N) with high attack complexity (AC:H) due to the need for precise message crafting, no privilege or user interaction required, and high impact to availability (A:H). The score does not account for real-world attack likelihood—which is constrained by the requirement for network access to CMP traffic or CMP server compromise—but appropriately weights the reliable denial-of-service impact if preconditions are met.

Frequently asked questions

Do I need to worry about this if I don't use CMP or CRMF?

No. This vulnerability is specific to OpenSSL's CMP client implementation. If your organization does not deploy certificate management via CMP, or does not use OpenSSL's CMP libraries, you are not affected. Many organizations use alternative certificate provisioning methods (e.g., REST APIs, ACME) and are therefore unaffected.

Can this be exploited from the internet, or only from internal networks?

The vulnerability requires network access to CMP traffic. If your CMP server is accessible from the internet and you have untrusted clients connecting, the risk is higher. If CMP is restricted to internal, authenticated infrastructure, the attack surface is narrower. In either case, the attacker must craft a specific malformed CMP response, so uncontrolled internet exposure is the riskier scenario.

Will this cause data loss or unauthorized access to certificates?

No. This is purely a denial-of-service issue. The NULL pointer dereference crashes the application; it does not lead to data exfiltration, certificate theft, or unauthorized access. Your certificates and private keys are not at risk of compromise from this vulnerability.

Are OpenSSL FIPS-validated modules affected?

No. OpenSSL's FIPS modules (versions 4.0, 3.6, 3.5, 3.4, and 3.0) are not affected because the vulnerable code lies outside the FIPS module boundary. If your deployment uses only FIPS-approved cryptographic operations, you are not vulnerable to this specific flaw.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Patch version numbers and vendor advisory details should be verified directly with OpenSSL's official security releases. Organizations should conduct their own risk assessment based on their specific OpenSSL versions, deployment architecture, and use of CMP functionality. No exploit code or weaponizable proof-of-concept is provided. Always test patches in a non-production environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).