CVE-2026-45447: OpenSSL PKCS#7 Use-After-Free Leading to RCE
OpenSSL has a critical flaw in how it handles PKCS#7 and S/MIME signed messages. When these messages contain an empty digest algorithms field, OpenSSL incorrectly frees memory that the calling application still owns and expects to use later. This causes a use-after-free condition—essentially, the application tries to use memory that OpenSSL has already released. Depending on how the application manages that memory afterward, this can cause crashes, corruption of heap data, or in worse cases, allow an attacker to execute arbitrary code remotely. The vulnerability requires an authenticated user to send a specially crafted message, but once triggered, the damage can be severe.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-416, CWE-825
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-07-15
NVD description (verbatim)
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
21 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in OpenSSL's PKCS7_verify() function during the processing of PKCS#7 or S/MIME signed messages. Specifically, when the SignedData.digestAlgorithms field is an empty ASN.1 SET, OpenSSL incorrectly calls free() on a BIO (Basic Input/Output abstraction) object that was passed in by the caller. The BIO lifecycle should be managed entirely by the calling application; OpenSSL should not free it. After PKCS7_verify() returns, the caller's application typically calls BIO_free() on that same BIO, triggering a use-after-free. The root cause is CWE-416 (use-after-free) combined with CWE-825 (improper handling of object lifetime). The vulnerability does not affect applications using OpenSSL's newer CMS APIs, only those using the legacy PKCS#7 APIs. FIPS modules in versions 4.0, 3.6, 3.5, 3.4, and 3.0 are unaffected because the vulnerable code lies outside the FIPS module boundary.
Business impact
Organizations deploying OpenSSL-based applications that process digitally signed emails or PKCS#7 messages face a significant operational risk. Exploitation can lead to application crashes, degrading service availability. More critically, if an attacker can craft and send a malicious signed message to a targeted application, they may achieve remote code execution with the privileges of that application—potentially compromising the entire system. Financial and healthcare organizations that rely on S/MIME for secure communications are particularly exposed. The attack requires an authenticated message sender, which narrows but does not eliminate the attack surface in many enterprise environments. Downtime, data breach, and compliance violations are all realistic outcomes if this is not patched promptly.
Affected systems
All applications linked against or embedding OpenSSL and using the PKCS#7 APIs (specifically PKCS7_verify()) to validate signed messages are potentially affected. This includes mail servers, email clients, document signing tools, and any custom application that validates PKCS#7 or S/MIME signatures. Applications using OpenSSL's CMS API instead of the legacy PKCS#7 API are not affected. FIPS-validated deployments of OpenSSL 4.0, 3.6, 3.5, 3.4, or 3.0 operating in FIPS mode are not affected. Verify the exact OpenSSL version and which API your application uses; consult your vendor's advisory for definitive patch guidance.
Exploitability
An attacker must be able to send or cause the vulnerable application to process a specially crafted PKCS#7 or S/MIME signed message with an empty digestAlgorithms field. The attack requires authentication or the ability to generate a message that the application will process, lowering the barrier to entry in many real-world scenarios. Network access is required, and there is no user interaction needed once a message reaches the vulnerable code. The CVSS score of 8.8 (HIGH) reflects high impact (confidentiality, integrity, and availability all compromised) paired with low attack complexity. The vulnerability is not yet on the CISA Known Exploited Vulnerabilities (KEV) list, but the technical simplicity of crafting the malicious message means exploit code is likely to emerge quickly once patches are available and defenders begin hunting.
Remediation
Apply the latest OpenSSL security patch from the vendor as soon as possible. The fix addresses the memory management logic in PKCS7_verify() to ensure that caller-owned BIO objects are not freed by OpenSSL. Test the patch in a non-production environment first, particularly if your application has custom BIO handling or memory allocation patterns. If you cannot patch immediately, consider restricting the application's ability to receive or process untrusted PKCS#7 or S/MIME messages, or isolate affected services behind additional authentication and validation layers. Review vendor advisories carefully, as patch versions vary by OpenSSL release series.
Patch guidance
Contact your OpenSSL distribution provider or visit the OpenSSL website for the latest security release. Patches are typically issued for multiple active release branches (e.g., 3.2, 3.1, 3.0, and legacy lines). Verify the patch version against the vendor's security advisory before deploying. If your application bundles OpenSSL statically, you must rebuild and redeploy the application. If your system uses OpenSSL as a shared library, updating the library package may be sufficient, but confirm with your application vendor. Test in a staging environment to ensure compatibility, especially if you have custom OpenSSL configurations or unusual BIO usage patterns.
Detection guidance
Monitor application logs for unexpected crashes or segmentation faults in processes that handle S/MIME or PKCS#7 message verification. A use-after-free often manifests as heap corruption warnings or crashes in memory allocation/deallocation code shortly after PKCS7_verify() is called. Use heap sanitizers (e.g., AddressSanitizer) in development and testing to catch use-after-free conditions before production. Endpoint detection and response (EDR) tools should flag abnormal process terminations or memory access violations in OpenSSL-linked applications. On the network side, look for unusual PKCS#7 or S/MIME message structures (e.g., messages with empty or malformed digestAlgorithms fields) sent to your mail servers or document processing services. If you have source access, code audits should verify that any calls to PKCS7_verify() correctly handle the BIO lifecycle and do not assume OpenSSL will manage it.
Why prioritize this
This vulnerability scores HIGH (8.8 CVSS) with potential for remote code execution, requires only low attacker complexity, and affects a widely used library. Although it requires authentication or message send capability, those barriers are low in many organizational contexts. The attack surface spans email systems, document signing tools, and any PKCS#7-aware application. The fact that it is not yet in the KEV list does not diminish urgency—exploit code typically appears within days of patch availability for such straightforward memory safety issues. Organizations should treat this as a critical remediation priority.
Risk score, explained
CVSS 8.8 (HIGH) is driven by: (1) Network-accessible attack vector, (2) Low attack complexity (no special conditions required beyond crafting a specific message), (3) Low privileges required (an authenticated sender), (4) High impact across confidentiality, integrity, and availability. The use-after-free combined with potential RCE in memory-sensitive applications justifies the severity rating. If the vulnerability were easier to exploit without authentication, the score would be higher; conversely, if exploitation required high complexity or had minimal impact, it would be lower. The score reflects a realistic threat to production systems handling S/MIME.
Frequently asked questions
Do I need to patch if I use OpenSSL only for TLS/SSL connections and not for PKCS#7 signature verification?
No, not for this specific vulnerability. The flaw is isolated to the PKCS#7 APIs. If your application uses OpenSSL only for TLS handshakes, certificate validation, or encryption, you are not affected by CVE-2026-45447. However, you should still keep OpenSSL updated for other security fixes. Always verify against your application's actual use of OpenSSL APIs.
Are all versions of OpenSSL affected, or only specific ones?
The source data does not specify exact version ranges, so you must consult the OpenSSL security advisory directly. However, the description notes that FIPS modules in versions 4.0, 3.6, 3.5, 3.4, and 3.0 are unaffected because the vulnerable code is outside the FIPS boundary. This suggests the vulnerability is in non-FIPS code paths. Contact your OpenSSL vendor or check the official advisory to determine if your specific version is vulnerable.
Can I work around this if I cannot patch immediately?
Partial mitigations are possible but not foolproof. You could temporarily disable PKCS#7 signature verification in your application, authenticate all message sources strictly, or run the application in a sandboxed or containerized environment with minimal privileges. However, these are temporary measures. Patching is the only reliable fix. If your application is critical, prioritize patching within your change management process.
Does this affect S/MIME in email clients like Outlook or Thunderbird?
Email clients that use OpenSSL's PKCS#7 APIs for S/MIME verification are potentially affected. However, many modern mail clients use their own crypto libraries or the system's native certificate validation. Check your email client vendor's advisory to confirm whether you are affected and when a patch is available.
This analysis is based on the CVE record and publicly available OpenSSL vulnerability information as of the published date. Patch version numbers, affected product versions, and remediation steps must be verified against the official OpenSSL security advisory and your vendor's documentation. SEC.co does not guarantee the accuracy or completeness of this analysis and strongly recommends consulting with OpenSSL maintainers and your software vendor before deploying patches or making operational changes. No exploit code or weaponized proof-of-concept is provided or endorsed by this analysis. Use of any information herein is at your own risk. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-44422HIGHFreeRDP RDPEAR Double-Free Vulnerability (HIGH Severity)
- CVE-2026-46125HIGHLinux Kernel WiFi Driver Memory Safety Vulnerability
- CVE-2026-46166HIGHLinux Kernel mac80211 Use-After-Free in DFS Radar Detection
- CVE-2026-10000HIGHChrome Sandbox Escape via Use-After-Free in Password Handling
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10005HIGHChrome macOS Use-After-Free RCE Vulnerability (7.5 CVSS)