CVE-2026-45445: OpenSSL AES-OCB IV Discard and Tag Forgery Vulnerability
OpenSSL has a flaw in its AES-OCB encryption handling when applications use the lower-level one-shot EVP_Cipher() interface. The supplied encryption key (IV) is ignored, causing every message encrypted under the same key to use an identical effective nonce. This breaks the confidentiality guarantee of the encryption and, worse, enables attackers to forge authentication tags—meaning they can create fake encrypted messages that will be accepted as legitimate. The issue only affects applications that directly use the EVP_Cipher() one-shot API with AES-OCB; applications using the recommended streaming interface or TLS connections are not at risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-325
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from inconsistent IV handling between OpenSSL's streaming and one-shot cipher APIs. When EVP_Cipher() is called on an AES-OCB context, the application-supplied IV is not flushed into the OCB cipher state before processing, leaving it in the all-zero state initialized by the provider. This results in (key, nonce) reuse across all invocations using the same key. If EVP_EncryptFinal_ex() is subsequently called to obtain the authentication tag, the deferred IV setup clears the accumulated plaintext checksum, causing the tag to depend only on the (key, IV) pair rather than the actual data. An attacker observing a single (ciphertext, tag) pair can forge valid tags for any ciphertext under the same key and IV. The OpenSSL FIPS modules and the SSL/TLS implementation are unaffected, as they do not use EVP_Cipher() with AES-OCB or support it as a cipher suite.
Business impact
Organizations using OpenSSL-based applications that encrypt sensitive data with AES-OCB via the EVP_Cipher() one-shot interface face exposure of encrypted payloads and risk of message forgery. An attacker who captures encrypted traffic or stored ciphertexts can derive plaintext through standard cryptanalysis and create counterfeit messages that pass authentication. This undermines both confidentiality and integrity guarantees for affected systems. However, the practical scope is narrower than it initially appears: most applications rely on the recommended streaming API or established TLS implementations, limiting the affected population. Still, any in-house or third-party cryptographic integration using AES-OCB with the one-shot interface is at immediate risk and requires urgent review and remediation.
Affected systems
OpenSSL versions using the AES-OCB provider are affected when EVP_Cipher() is the application's chosen interface. The FIPS modules in versions 4.0, 3.6, 3.5, 3.4, and 3.0 are explicitly not affected. TLS implementations and applications using the documented EVP_CipherUpdate() / EVP_CipherFinal_ex() streaming interface are unaffected. Organizations should audit their codebase for direct calls to EVP_Cipher() in combination with AES-OCB cipher names ('aes-*-ocb' in provider strings). Third-party libraries or custom AEAD implementations relying on this pattern are the primary concern.
Exploitability
Exploitation requires an attacker to observe encrypted messages or access stored ciphertexts produced by the vulnerable code path. No network-level interaction or authentication is needed; the vulnerability manifests purely through the cryptographic properties of the cipher state. Once a single (ciphertext, tag) pair is obtained, an attacker can cryptanalytically recover plaintext and forge arbitrary messages under the same key-IV pair. The attack is deterministic and does not require guessing or brute-force. However, real-world exploitation hinges on an application actually using EVP_Cipher() with AES-OCB, which is contrary to OpenSSL's own documented recommendations, making the vulnerable use pattern relatively uncommon but not unheard of in custom or legacy integrations.
Remediation
Affected applications must upgrade to a patched OpenSSL version once released and immediately audit their ciphertext API usage. The primary mitigation is to migrate from EVP_Cipher() to the recommended EVP_CipherUpdate() / EVP_CipherFinal_ex() streaming interface for all AEAD operations, including AES-OCB. If immediate patching is not possible, consider disabling AES-OCB as a cipher option and substituting a different authenticated encryption scheme. Any ciphertexts or authentication tags produced by vulnerable code paths should be considered compromised and regenerated after patching. For data that was encrypted with the vulnerable code, a retrospective cryptographic risk assessment is needed to determine if re-encryption is warranted.
Patch guidance
Monitor OpenSSL's official releases and security advisories for patched versions addressing CVE-2026-45445. Verify patch availability through the OpenSSL website and your distribution's security announcements before deploying. When patching, replace the entire OpenSSL library to ensure both libcrypto (where the provider lives) and any dependent applications are updated in tandem. Test the patched version thoroughly in a staging environment, particularly any custom AEAD code paths, to confirm the IV is now correctly applied. Applications running on distributions with extended support (e.g., Red Hat, Ubuntu LTS) should expect vendor-provided patches aligned with their release cycles.
Detection guidance
Search your codebase for calls to EVP_Cipher() paired with AES-OCB cipher names (e.g., 'aes-256-ocb', 'aes-128-ocb'). Use static analysis tools to flag these patterns as high-priority findings. For deployed systems, enable logging of any cipher operations and review logs for instances of OCB cipher invocations via the one-shot API. Monitor OpenSSL version numbers in running processes; any version prior to the patch announcement is suspect if AES-OCB is in use. Network-based detection is difficult without plaintext visibility, but unexplained authentication tag mismatches or unexpected message acceptance could signal exploitation. Implement integrity monitoring on systems where encrypted data is both generated and verified locally.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (7.5) and the complete loss of confidentiality and integrity for affected data. The attack requires no user interaction, no privilege escalation, and no authentication. However, the practical attack surface is constrained by the rarity of EVP_Cipher() usage with AES-OCB in production; most real-world OpenSSL deployments do not follow this anti-pattern. Organizations should prioritize this as urgent only if they have confirmed use of the vulnerable API combination; broader deployments can treat it as high-priority but not critical. The long timeline before active public exploitation (if it occurs) allows for orderly patching.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-exploitable vulnerability with high impact on confidentiality but no direct impact on availability or integrity in the traditional sense. The score does not discount for the uncommon use pattern (EVP_Cipher() with AES-OCB), which would be a mitigating factor in practice. The score correctly emphasizes that any application using this combination faces complete loss of encryption security. Contextually, your organization's risk depends heavily on whether you actually deploy this specific API pattern; if you don't, the vulnerability is a non-issue for you, while for those who do, the risk is severe.
Frequently asked questions
Does this affect my TLS/SSL connections?
No. OpenSSL's SSL/TLS implementation does not use EVP_Cipher() and does not support AES-OCB as a cipher suite. Standard HTTPS and other TLS-based communications are not vulnerable.
I use OpenSSL but I'm not sure if I use AES-OCB. How do I check?
Search your application source code and configuration files for references to 'ocb' or 'aes-*-ocb'. If you find none, you are not affected. If you only use the standard EVP_CipherUpdate() and EVP_CipherFinal_ex() functions, even with AES-OCB, you are not vulnerable.
What if I only need encryption without authentication (no tag verification)?
Even if you do not call EVP_EncryptFinal_ex() to retrieve the tag, the IV is still discarded, resulting in nonce reuse and loss of confidentiality. All calls with the same key will be vulnerable to standard AES-OCB cryptanalysis. Migrate to the streaming API regardless.
Are there workarounds if I can't patch immediately?
Disable AES-OCB cipher selection in your application configuration and use an alternative authenticated encryption scheme (e.g., AES-GCM, ChaCha20-Poly1305). This is a temporary measure; patching is mandatory for long-term security.
This analysis is based on the CVE-2026-45445 advisory and OpenSSL's official description. Patch availability and version information must be verified against OpenSSL's official website and your vendor's security bulletins. The impact and exploitability assessment assumes accurate identification of vulnerable code patterns; false negatives are possible if AES-OCB usage is obfuscated or dynamically generated. This vulnerability does not affect FIPS-validated OpenSSL modules. Organizations should conduct their own cryptographic risk assessment and testing before and after patching. No exploit code or proof-of-concept is provided or endorsed here. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42770LOWOpenSSL X9.42 DHX Subgroup Membership Validation Bypass
- CVE-2026-45446MEDIUMOpenSSL AES-SIV and AES-GCM-SIV Authentication Bypass
- CVE-2026-0420MEDIUMNETGEAR ReadyCloud TLS Certificate Validation Flaw
- CVE-2026-34180HIGHOpenSSL ASN.1 Decoder Integer Truncation Vulnerability
- CVE-2026-34181HIGHOpenSSL PKCS#12 Certificate Forgery Vulnerability – HIGH Severity
- CVE-2026-34183HIGHOpenSSL QUIC PATH_CHALLENGE Heap Exhaustion Denial of Service
- CVE-2026-42764HIGHOpenSSL QUIC Server NULL Pointer Denial of Service Vulnerability
- CVE-2026-42765HIGHOpenSSL NULL Pointer Dereference in OCSP Certificate Chain Verification