CVE-2026-42768: OpenSSL Bleichenbacher Oracle in CMS/S/MIME Decryption
OpenSSL's CMS and S/MIME decryption functions contain a flaw that allows attackers to exploit error messages or decryption output to gradually recover encrypted data or forge signatures. The vulnerability exists in two forms: when no recipient certificate is provided, an attacker can craft a message with multiple encryption layers to probe for valid padding patterns; when a certificate is provided but doesn't match, OpenSSL substitutes a random key, which an attacker can use to compare results and refine attacks. The practical risk is low because exploiting it requires the victim's application to expose detailed error codes or decryption results to an untrusted attacker, a scenario OpenSSL's developers consider very unlikely in real-world deployments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.7 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-514
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42768 is a Bleichenbacher-style adaptive chosen-ciphertext attack against OpenSSL's EVP_PKEY_decrypt() function when processing RSA PKCS#1 v1.5 Key Transport within CMS/PKCS#7 structures. In variant 1, CMS_decrypt() or PKCS7_decrypt() without a recipient certificate will iterate through all KeyTransRecipientInfo (KTRI) entries; an attacker constructs a message with a legitimate KTRI and a probe ciphertext to oracle the padding oracle behavior. In variant 2, when a recipient certificate is provided but the named recipient is not found, OpenSSL substitutes a random key, allowing an attacker to distinguish valid padding from invalid by observing both error codes and plaintext output. OpenSSL has implemented implicit rejection (per draft-irtf-cfrg-rsa-guidance) to mitigate this by returning a deterministic plaintext for all ciphertexts, rather than distinguishing success from failure at the cryptographic layer. FIPS modules in versions 4.0, 3.6, 3.5, and 3.4 are unaffected because CMS/S/MIME processing occurs outside the FIPS module boundary.
Business impact
The business risk is constrained by the attack's practical requirements. An attacker would need to interact repeatedly with a victim application that (1) accepts attacker-supplied CMS/S/MIME messages, (2) decrypts them using the vulnerable functions, and (3) returns or logs enough information (error codes, decryption success/failure, or plaintext) for the attacker to distinguish oracle responses. Most production applications do not expose this level of cryptographic side-channel information to untrusted external parties. Organizations running OpenSSL-based email, document encryption, or API security services should assess whether their error handling or logging could inadvertently become a oracle. The primary concern is defense-in-depth: even if your application does not appear vulnerable, layered patches reduce the window for future misconfigurations or integrations that might become exploitable.
Affected systems
The vulnerability affects OpenSSL's CMS_decrypt() and PKCS7_decrypt() functions across versions that have not yet received the implicit rejection fix. The exact affected version range is not detailed in the source data; verify against OpenSSL's official security advisory for your installed version. The vulnerability applies to any application statically or dynamically linked against the affected OpenSSL library that uses CMS or S/MIME decryption. FIPS-certified modules (versions 4.0, 3.6, 3.5, 3.4) are explicitly not affected because they do not handle CMS/S/MIME at the FIPS boundary.
Exploitability
Exploitability is low and heavily constrained by prerequisites. An attacker must: craft CMS/S/MIME messages with specific multi-recipient or malformed structures; send them to the target application repeatedly; and observe fine-grained oracle responses (error codes, decryption output, or application behavior). No known public exploits target this vulnerability, and the OpenSSL team is not aware of real-world applications that expose the necessary oracle. The attack requires network access and high complexity (AC:H in CVSS terms), reflecting the need to engineer both the message structure and the application behavior to leak oracle signals. A motivated attacker with network access to a poorly configured application could theoretically extract key material or forge signatures, but such configurations are expected to be rare.
Remediation
Apply OpenSSL patches that implement implicit rejection for RSA PKCS#1 v1.5 Key Transport decryption. Verify the patch version number against your OpenSSL vendor's official advisory, as version numbers are not specified in this summary. In parallel, audit your application's error handling and logging: ensure that decryption failures, success indicators, or partial plaintexts are not exposed to untrusted clients or logged in ways that could be observed by attackers. If your application must support RSA PKCS#1 v1.5 decryption, always provide a recipient certificate to CMS_decrypt() or PKCS7_decrypt() to disambiguate the correct recipient. Consider migrating to RSAES-OAEP or authenticated encryption schemes (e.g., CMS/AES-GCM) for new deployments, as these are inherently resistant to Bleichenbacher attacks.
Patch guidance
Obtain the latest OpenSSL security patch from openssl.org or your vendor's distribution channel. The patch modifies EVP_PKEY_decrypt() to use implicit rejection, ensuring that all RSA PKCS#1 v1.5 decryption attempts return a deterministic plaintext rather than failing loudly. Before patching, test in a non-production environment to confirm compatibility with your CMS/S/MIME processing pipeline, particularly if your code relies on catching decryption exceptions or interpreting error codes. If you maintain a wrapper around the OpenSSL C API, review your error handling to ensure it does not inadvertently leak oracle signals to callers. Prioritize patching systems that expose CMS/S/MIME decryption to external or untrusted input; internal, air-gapped systems have lower practical risk.
Detection guidance
Monitor application logs for repeated decryption failures or errors involving CMS/PKCS#7 processing, especially if the requests appear to come from the same source or follow a pattern consistent with probing. Check if your application logs or exposes cryptographic error details; if so, consider suppressing or anonymizing them to prevent accidental oracle leakage. Review access logs for unusual patterns of requests to endpoints that invoke CMS_decrypt() or similar functions. Endpoint Detection and Response (EDR) solutions may flag unusual key material exposure or signing operations if an attacker successfully exploits the vulnerability. For network-based detection, HTTPS or TLS inspection logs may show unusual CMS/S/MIME message structures with multiple recipients or malformed encryption layers, though such detection is complex and requires deep packet inspection.
Why prioritize this
This vulnerability merits attention despite its low CVSS score (3.7) because it represents a class of cryptographic weaknesses (Bleichenbacher attacks) that have been exploited in practice against other libraries and protocols. While real-world exploitability is low, the attack is fundamentally sound and could be enabled by misconfiguration or poor error handling in downstream applications. Patching is low-risk (implicit rejection is a defensive cryptographic best practice) and defends against both current and future integrations. Organizations should treat this as a steady-priority patch rather than an emergency, but not defer it indefinitely. Any application explicitly processing S/MIME or CMS should be patched within a standard maintenance cycle (30–60 days).
Risk score, explained
The CVSS 3.1 score of 3.7 (LOW) reflects: Network-reachable attack surface (AV:N), but High complexity due to the multiple prerequisites (AC:H) — the attacker must craft specific messages and observe oracle responses; No privilege escalation required (PR:N); No user interaction needed (UI:N); Confidentiality impact is Low (C:L) — the attacker can decrypt a message or forge a signature, but the scope and scale are limited by the oracle requirement; Integrity and Availability are not impacted (I:N, A:N). The score appropriately discounts the theoretical severity of a cryptographic compromise because the attack's practical realization depends on unusual and unlikely application behaviors.
Frequently asked questions
Can I be attacked if I use OpenSSL for TLS/SSL connections?
No. This vulnerability applies only to CMS and S/MIME decryption functions (CMS_decrypt, PKCS7_decrypt). TLS/SSL uses different cryptographic constructions and is not affected by this Bleichenbacher-style attack.
What should I do if I don't use CMS or S/MIME in my application?
You are not directly affected. However, if you depend on a library that uses CMS/S/MIME internally (e.g., for email encryption, digital signatures, or document protection), you should verify with that library's maintainer and plan to apply any updates they release.
Do I need to revoke or rotate my RSA keys?
No, key rotation is not necessary unless you have confirmed that your application has been exploited. The vulnerability requires attackers to interact with a running, vulnerable system and observe oracle responses. If your application has not been exposed to untrusted CMS/S/MIME messages with unusual structure, the risk of key compromise is very low.
What is 'implicit rejection' and does it break my application?
Implicit rejection is a cryptographic technique that returns a deterministic fake plaintext for invalid ciphertexts instead of raising an error. This eliminates the oracle signal that attackers exploit. For most applications, this change is transparent: valid decryptions work as before, and invalid ones silently return garbage (which your application will discard). Only applications that actively inspect or log decryption errors may require minor code adjustments.
This analysis is based on the published CVE description and OpenSSL's official advisory. Version numbers, patch releases, and remediation steps should be verified against openssl.org and your vendor's security bulletins. No exploit code or proof-of-concept is provided. The assessment of real-world exploitability reflects OpenSSL's statement that they are not aware of vulnerable applications in the wild; your organization's risk may differ if your application architecture exposes cryptographic oracles. Always test patches in non-production environments before production deployment. This document is for informational purposes and does not constitute security advice for your specific systems; consult with your security team or a qualified professional for guidance tailored to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42770LOWOpenSSL X9.42 DHX Subgroup Membership Validation Bypass
- CVE-2026-34180HIGHOpenSSL ASN.1 Decoder Integer Truncation Vulnerability
- CVE-2026-34181HIGHOpenSSL PKCS#12 Certificate Forgery Vulnerability – HIGH Severity
- CVE-2026-34183HIGHOpenSSL QUIC PATH_CHALLENGE Heap Exhaustion Denial of Service
- CVE-2026-35188MEDIUMOpenSSL TLS OCSP Stapling Double-Free Vulnerability
- CVE-2026-42764HIGHOpenSSL QUIC Server NULL Pointer Denial of Service Vulnerability
- CVE-2026-42765HIGHOpenSSL NULL Pointer Dereference in OCSP Certificate Chain Verification
- CVE-2026-42766MEDIUMOpenSSL CMS NULL Pointer Denial of Service