CVE-2026-42771: OpenSSL Email Validation Out-of-Bounds Read Denial of Service
CVE-2026-42771 is a vulnerability in OpenSSL's email address validation logic that can cause an application to crash when processing crafted email addresses. The flaw lies in how OpenSSL validates the local part (the part before the '@' symbol) of email addresses, particularly during S/MIME message validation. An attacker who can supply a malicious email address in an S/MIME message can trigger an out-of-bounds read that most likely results in a denial of service. The vulnerability does not allow data theft or system compromise beyond availability impact.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.2 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate the data read to the attacker so the most likely result is a crash and a Denial of Service. An internal helper function called from X509_VERIFY_PARAM_[set|add]_email() used a wrong length when validating the local part of an email address. This could cause the 64 octet limit on the local part of an email address to be not enforced, or cause an out of bound read and potentially a crash. The bug is reachable via S-MIME validation with a crafted From: address supplied in an email message that can potentially cause a crash. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The X509_VERIFY_PARAM_set1_email and X509_VERIFY_PARAM_add_email functions contain a logic error in their internal helper function that miscalculates the length boundary when parsing the local part of an email address. The email specification limits the local part to 64 octets, but the buggy validation logic uses an incorrect length parameter, allowing either the check to be bypassed or memory beyond the intended buffer to be read. This out-of-bounds read occurs in non-FIPS OpenSSL code and can be triggered during certificate validation workflows that process email identities, such as S/MIME validation pipelines. The memory read itself is not exploitable for data exfiltration, but the access pattern is likely to cause a process crash.
Business impact
Organizations using OpenSSL for S/MIME email validation face availability risk. Email processing systems, secure messaging gateways, and applications that validate email certificates could crash when receiving specially crafted messages. This could disrupt communications workflows, trigger support escalations, and require service restarts. The impact is contained to availability; confidentiality and integrity are not at risk. For businesses where email validation is embedded in business-critical infrastructure (secure collaboration platforms, legal-hold email systems), the denial of service could be operationally significant.
Affected systems
The vulnerability affects OpenSSL libraries. Any application that uses OpenSSL's X509_VERIFY_PARAM email validation functions is potentially affected. Primary risk surfaces include S/MIME validators, email encryption/signing applications, certificate validation libraries, and gateway appliances that perform email certificate checks. FIPS-compliant deployments using OpenSSL's FIPS module are not affected, as the vulnerable code resides outside the FIPS boundary. The scope is limited to systems that actively invoke email validation functions on untrusted email data.
Exploitability
The vulnerability requires an attacker to control or inject email data into a validation workflow—most practically by sending a crafted email message to a recipient whose system processes S/MIME validation. No special privileges or user interaction beyond normal email receipt is required. The exploit is local in nature (the out-of-bounds read occurs in the validating process), but the trigger is remote (via email). Exploit complexity is low; the attacker simply needs to craft an email with a malicious From address. This is actively exploitable in real-world email environments, though the outcome (a crash rather than a code execution path) limits the attack surface.
Remediation
Organizations must apply OpenSSL patches released in response to this vulnerability. The patch corrects the length calculation in the email validation helper function. Verify the specific patched OpenSSL version number against the vendor advisory and plan testing before deployment. For applications that cannot be immediately patched, consider implementing network-level validation to filter malformed email headers before they reach the vulnerable code, or temporarily disabling S/MIME validation if operationally feasible. Prioritize patching systems that process untrusted external email.
Patch guidance
Apply the OpenSSL security patch as released by the OpenSSL project. Verify the patched version number in the vendor advisory and test in a staging environment before production deployment. Most distributions will offer patched versions through their regular package repositories. Developers should recompile applications linked against the vulnerable OpenSSL library. Check with your application vendor for compatibility statements and bundled OpenSSL versions. For embedded systems or appliances, check the vendor's security advisory for patch availability and timelines.
Detection guidance
Monitor application logs and system journals for crashes or exit signals in processes that perform S/MIME validation or certificate validation. Watch for unexpected segmentation faults or access violations in OpenSSL-linked processes when processing email. Network-based detection is challenging because the malformed input is at the email body level, but security gateways can log instances of rejection due to invalid email headers. Monitor OpenSSL version inventory across your environment to identify systems still running vulnerable releases. Correlate email receipt patterns with process crashes to identify attack attempts.
Why prioritize this
While the CVSS score of 6.2 (MEDIUM) reflects the availability-only impact, prioritization should be moderate to moderately-high depending on organizational context. This vulnerability is not in the CISA KEV catalog and has not yet shown in-the-wild exploitation as of publication. However, the ease of exploitation and the prevalence of S/MIME in regulated industries (financial services, legal, healthcare) warrant prompt attention. Organizations processing high-volume external email should prioritize patching over those in closed-loop environments. The lack of data exfiltration reduces urgency compared to a critical remote code execution, but the operational impact of email system crashes justifies near-term remediation planning.
Risk score, explained
The CVSS 3.1 score of 6.2 MEDIUM reflects: (1) local attack vector, acknowledging that the vulnerable code must be invoked by the application rather than accessible remotely; (2) low attack complexity, as the exploit is straightforward; (3) no special privileges or user interaction required; (4) no confidentiality or integrity impact; and (5) high availability impact via denial of service. The score appropriately downgrades from critical or high severity due to the lack of remote code execution or data theft, but it captures the meaningful availability disruption from a process crash. In environments where S/MIME validation is on the critical path for email delivery, the operational impact may feel more severe than the numerical score suggests.
Frequently asked questions
Can this vulnerability lead to remote code execution or data theft?
No. The out-of-bounds read is not exploitable for code execution or exfiltration. The most likely outcome is a process crash, causing denial of service. The vulnerability does not compromise confidentiality or integrity.
Do I need to patch if I'm not using S/MIME or email validation features?
If your application does not call X509_VERIFY_PARAM_set1_email or X509_VERIFY_PARAM_add_email, the code path is not reachable. Review your application's use of OpenSSL's certificate validation APIs. If email address validation is not part of your workflow, your risk is minimal. However, supply chain dependencies may invoke these functions indirectly, so verify with vendors.
Are FIPS-compliant OpenSSL deployments affected?
No. The vulnerable code is located outside the OpenSSL FIPS module boundary. Systems using OpenSSL's FIPS-validated module for email validation are not affected by this specific issue.
What is the practical impact of a denial of service in email validation?
A crash in email validation can halt or disrupt email processing, cause message queue backlogs, and trigger alert escalations. For organizations where email is business-critical (trading floors, support ticketing, secure communications), even brief downtime can have operational and financial consequences. The impact scales with the volume of untrusted email your system processes.
This analysis is provided for informational purposes and does not constitute legal or compliance advice. CVSS scores, patch version numbers, and vendor advisory details are sourced from official security releases and should be verified against the OpenSSL vendor advisory and your specific environment. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Patch testing and deployment timelines should be determined in accordance with your organization's change management and risk governance policies. SEC.co makes no warranty regarding the completeness or timeliness of this analysis. Always consult vendor advisories and conduct internal testing before deploying security patches in production environments. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34180HIGHOpenSSL ASN.1 Decoder Integer Truncation Vulnerability
- CVE-2025-70101MEDIUMlwext4 1.0.0 Out-of-Bounds Read Denial of Service
- CVE-2026-10305MEDIUMOut-of-Bounds Read in Samsung rlottie Animation Library
- CVE-2026-10979MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure Vulnerability
- CVE-2026-10985MEDIUMOut-of-Bounds Read in Google Chrome Skia – Data Leakage Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure