MEDIUM 4.8

CVE-2026-45446: OpenSSL AES-SIV and AES-GCM-SIV Authentication Bypass

OpenSSL's implementations of two advanced encryption modes, AES-SIV and AES-GCM-SIV, contain a flaw in how they verify message authenticity when the encrypted content is empty. An attacker can craft a fraudulent message with attached metadata (AAD) and an empty ciphertext that will pass authentication checks without knowing the encryption key. This is only exploitable in custom applications that implement their own protocols using OpenSSL's EVP interface and skip processing when receiving empty ciphertext.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-325
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in OpenSSL's provider implementation of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) AEAD modes. These algorithms are designed to be nonce-misuse-resistant and authenticate optional Additional Authenticated Data (AAD) alongside encrypted plaintext. The flaw occurs because the authentication tag is only recalculated during the decryption update phase when non-empty ciphertext is present. When an application provides AAD and then calls EVP_DecryptFinal_ex() without invoking the ciphertext update function (which occurs when receiving zero-length ciphertext), the tag remains at its default all-zeros value. For AES-GCM-SIV, this means any attacker can forge messages with arbitrary AAD and empty ciphertext by simply submitting an all-zeros tag. For AES-SIV, the attack requires context reuse without key reset. OpenSSL's built-in protocols (TLS, CMS, PKCS7, HPKE, QUIC) do not use these cipher modes, limiting impact to applications implementing custom protocols.

Business impact

Organizations using OpenSSL for custom cryptographic protocols based on AES-SIV or AES-GCM-SIV face potential message forgery attacks. An attacker could inject fraudulent authenticated messages into the application workflow, potentially bypassing integrity controls designed to prevent tampering. The impact severity depends entirely on protocol design: if the application gracefully rejects zero-length messages or resets the decryption context between operations, the vulnerability may be unexploitable. However, applications that accept authenticated metadata with empty payloads (e.g., certain command or control protocols) could face unauthorized command injection.

Affected systems

This vulnerability affects OpenSSL versions 3.2 and later for AES-GCM-SIV mode, and OpenSSL 3.0 and later for AES-SIV mode. OpenSSL's FIPS modules in versions 3.0 through 4.0 are unaffected because these cipher modes are not FIPS-approved and reside outside the FIPS boundary. The vulnerability does not impact standard TLS, CMS, PKCS7, HPKE, or QUIC implementations, as OpenSSL itself does not use these modes for those protocols. Only custom applications that directly call the EVP interface with AES-SIV or AES-GCM-SIV are at risk.

Exploitability

Exploitation requires multiple specific conditions: the target application must implement a custom protocol using AES-SIV or AES-GCM-SIV via OpenSSL's EVP interface, must accept messages with AAD and empty ciphertext, and must skip the ciphertext update phase when receiving zero-length encrypted data. For AES-GCM-SIV, an unauthenticated attacker on the network can forge messages single-shot without any key material. For AES-SIV, the attacker must additionally cause the application to reuse the decryption context without resetting the key. These constraints mean the vulnerability is not exploitable against standard OpenSSL-based services and requires developers to implement unusual message handling patterns.

Remediation

Apply security updates from OpenSSL once patches addressing this authentication bypass are released. Patches must ensure the authentication tag is computed correctly even when the ciphertext is empty, or that decryption fails gracefully in such scenarios. Organizations should review custom protocol implementations using AES-SIV or AES-GCM-SIV to confirm they validate ciphertext length and reset decryption state between operations. Until patches are available, consider whether your application truly requires these nonce-misuse-resistant modes or if standard AES-GCM is sufficient for your use case.

Patch guidance

Monitor OpenSSL security advisories for patch releases addressing CVE-2026-45446. Patches will be incorporated into upcoming OpenSSL maintenance releases for affected branches. Verify the patch against the official OpenSSL advisory to confirm which versions are fixed. Test patched versions in a staging environment before deploying to production, paying particular attention to any custom cryptographic protocol implementations. FIPS-constrained environments should note that FIPS modules are unaffected and do not require patching for this issue, though updating to patch non-FIPS components is still recommended for consistency.

Detection guidance

Detection is challenging without access to OpenSSL's internal EVP state. Security teams should review application code and dependencies for direct use of EVP_aes_siv() or EVP_aes_gcm_siv() functions. If found, audit the surrounding code for patterns where ciphertext updates are skipped or zero-length ciphertexts are processed. Monitor OpenSSL version inventory; flag systems running OpenSSL 3.0–3.1 (for AES-SIV) and 3.2+ (for AES-GCM-SIV) that use custom cryptographic protocols. Instrument applications to log or alert on zero-length ciphertext events paired with non-empty AAD, as this is the attack pattern.

Why prioritize this

This vulnerability merits prompt attention despite a CVSS score of 4.8 (Medium) because it directly bypasses a core security function: message authentication. The authentication bypass is unconditional for AES-GCM-SIV and requires only moderate preconditions for AES-SIV. However, real-world risk is significantly constrained by the requirement for custom application implementation and specific message handling patterns. Organizations without custom cryptographic protocols using these modes face minimal immediate risk. Those with such protocols should prioritize patching once available. The false-positive risk is low because affected code patterns are distinctive and unlikely to appear accidentally.

Risk score, explained

The CVSS 3.1 score of 4.8 (Medium) reflects a network-exploitable authentication bypass with no user interaction required, but limited scope (only custom application protocols) and loss of both confidentiality and integrity without availability impact. The 'AC:H' (High Attack Complexity) factor accounts for the requirement that applications must implement non-standard message handling (skipping ciphertext updates for empty messages). In practice, organizations not using custom protocols with these modes face negligible risk, while those that do should treat this as a critical authentication control failure warranting immediate patching upon availability.

Frequently asked questions

Does this affect standard TLS connections or HTTPS?

No. OpenSSL's TLS implementation does not use AES-SIV or AES-GCM-SIV. Standard TLS with AES-GCM or ChaCha20-Poly1305 is unaffected. Only custom applications that explicitly call OpenSSL's EVP interface with these cipher modes are at risk.

What should we do if we find we're using AES-SIV or AES-GCM-SIV?

First, confirm the OpenSSL version and whether your protocol accepts messages with non-empty AAD and zero-length ciphertext. If so, you are potentially vulnerable. Apply security updates when available, and in the interim, implement input validation to reject or handle such messages distinctly. Consider whether your application truly requires these nonce-misuse-resistant modes or if standard AES-GCM would suffice.

Are FIPS-compliant OpenSSL builds affected?

No. OpenSSL's FIPS modules (versions 3.0–4.0) do not implement AES-SIV or AES-GCM-SIV because these modes are not FIPS-approved. If your organization uses FIPS-certified OpenSSL, this vulnerability does not apply to your cryptographic operations.

Can an attacker exploit this without knowing the encryption key?

Yes, for AES-GCM-SIV. An unauthenticated attacker can send an all-zeros tag with arbitrary AAD and empty ciphertext, and it will authenticate under any key. For AES-SIV, the attacker must trick the application into reusing the decryption context without resetting the key.

This analysis is based on the official CVE-2026-45446 description and OpenSSL vendor guidance available as of June 2026. Exploit details, patch version numbers, and affected product lists should be verified against the OpenSSL security advisory before deployment decisions. This vulnerability does not affect standard OpenSSL usage in TLS, CMS, or other built-in protocols. Risk assessment should account for your specific use of OpenSSL and whether custom cryptographic protocols using AES-SIV or AES-GCM-SIV are implemented in your environment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).