CVE-2026-9076: OpenSSL CMS Password Decryption Denial of Service
CVE-2026-9076 is a denial-of-service vulnerability in OpenSSL's CMS password-based decryption functionality. When processing specially crafted CMS messages, an attacker can trigger a heap buffer over-read that may crash the application. The vulnerability exists because OpenSSL's key unwrapping code assumes the cipher used for key encryption is block-based, but an attacker can specify a stream-mode cipher instead, bypassing length checks. No password knowledge is required to attempt the attack, and the vulnerability affects any application that decrypts untrusted CMS data using password-based key recovery. The FIPS modules are unaffected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the kek_unwrap_key() function, which implements RFC 3211 password-based CMS key unwrapping (PWRI). The function performs a check-byte validation that reads 7 bytes from an unwrapped key buffer. The buffer allocation size is based on the attacker-controlled wrapped key length, with a minimum size check that assumes a block cipher with a specific block length. However, the cipher algorithm is selected from an OID in the attacker's CMS message with no validation requiring it to be block-mode. By specifying a stream-mode cipher (which has different size semantics), an attacker can cause the allocated buffer to be insufficiently sized for the RFC-mandated check-byte read, resulting in a heap buffer over-read of several bytes beyond the allocation boundary. If the allocation borders an unmapped memory page, the over-read triggers a segmentation fault.
Business impact
Affected applications face potential service disruption. Any system processing untrusted CMS-encrypted messages via the CMS_decrypt() or CMS_decrypt_set1_password() APIs (or the openssl cms command-line tool) can be remotely crashed without authentication. This is particularly relevant for automated message processing, secure document handling, or secure email systems that rely on OpenSSL's CMS implementation. The attack requires no credentials or prior knowledge and can be conducted by any network-adjacent or remote attacker depending on deployment context. Recovery typically requires application restart.
Affected systems
OpenSSL is affected. Applications using OpenSSL's CMS decryption functions with untrusted input are vulnerable. This includes the openssl cms command-line utility when used with the -decrypt and -pwri_password options. The FIPS-validated OpenSSL modules are not affected. Deployments should verify their OpenSSL version against vendor advisories to determine if patches are available.
Exploitability
Exploitability is straightforward from a technical standpoint: an attacker crafts a CMS message with an attacker-chosen stream-mode cipher OID in the key encryption algorithm field, then sends it to a vulnerable application. No authentication, credentials, or password knowledge is required; the over-read occurs before authentication checks. Practical exploitation to trigger a crash depends on heap layout—the allocation must border unmapped memory for a segmentation fault. This is possible but not guaranteed with standard allocators. The attack vector is network-based with low complexity, making it a viable denial-of-service vector in exposed CMS processing services.
Remediation
Apply the patched OpenSSL version released by the OpenSSL project. Verify against the official OpenSSL security advisory for specific fixed versions. As a defensive measure, applications should avoid processing CMS messages from untrusted sources unless necessary; if processing is unavoidable, consider adding application-level validation to reject CMS messages using unexpected or stream-mode key encryption algorithms, or isolate CMS processing in a sandbox or containerized environment to limit blast radius of crashes. The FIPS modules do not require patching.
Patch guidance
Consult the OpenSSL project's official security advisory for CVE-2026-9076 to identify the fixed version(s) for your current OpenSSL release line (1.1.1, 3.0, 3.1, 3.2, etc.). Test the patched version in a development environment before deploying to production. Prioritize patching for systems that process untrusted CMS data or expose CMS decryption functionality via network APIs or command-line tools. For Linux distributions and other vendors shipping OpenSSL, check your package manager for available security updates.
Detection guidance
Monitor application logs for segmentation faults, core dumps, or unexpected crashes in processes running OpenSSL CMS decryption code. Intrusion detection systems with CMS message inspection capabilities may identify suspicious PWRI messages specifying unusual key encryption algorithm OIDs, particularly stream-mode ciphers. If the openssl cms command is exposed in scripts or services, audit its usage for potential untrusted input. Network-based detection is limited due to the encrypted nature of CMS payloads, but anomalous termination of otherwise stable services processing CMS data warrants investigation.
Why prioritize this
This vulnerability merits prompt patching despite its denial-of-service-only impact. It requires no authentication or user interaction, affects a widely deployed cryptographic library, and can be triggered remotely by any attacker capable of sending a crafted message to a vulnerable CMS processing service. The CVSS score of 7.5 (HIGH) reflects the low barrier to exploitation and the availability impact. Organizations operating automated message processing, email security gateways, or document encryption systems dependent on OpenSSL CMS should prioritize this patch.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) is driven by attack vector network, attack complexity low, and no privilege or user interaction required, combined with high availability impact. The confidentiality and integrity ratings are none because the over-read does not disclose data and does not enable corruption. The availability impact is high because a successful crash results in denial of service. The score appropriately reflects the severity of a remotely triggerable, unauthenticated denial-of-service condition in a cryptographic library, though practical exploitation for consistent crashing is mitigated by heap layout dependencies.
Frequently asked questions
Can an attacker read sensitive data via this vulnerability?
No. The vulnerability causes a heap over-read of a few bytes, but those bytes are not returned to the attacker or written to output. The over-read is used internally by the key unwrapping function and does not result in information disclosure. The impact is strictly denial of service via crash.
Do I need to know the password to exploit this vulnerability?
No. The exploit occurs during the key unwrap phase before password validation. An attacker can send a crafted CMS message specifying a stream-mode key encryption cipher, triggering the over-read regardless of whether the password is correct.
Are systems using OpenSSL's FIPS modules affected?
No. The vulnerability is specific to OpenSSL's standard (non-FIPS) CMS implementation. FIPS-validated modules do not contain this flaw and do not require patching for this CVE.
What if my application never processes untrusted CMS data?
If your OpenSSL deployment only processes CMS messages from trusted, authenticated sources, the risk is reduced. However, if there is any possibility of processing attacker-controlled CMS messages or if the application architecture may change in the future, patching is still recommended to eliminate the attack surface.
This analysis is provided for informational purposes based on the CVE description and does not constitute professional security advice. Verification of patch availability, affected versions, and remediation strategies should be conducted against the official OpenSSL security advisory and your vendor's documentation. Testing of patches in non-production environments is strongly recommended before deployment. The information herein is current as of the publication date and may be subject to updates as additional details emerge. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34180HIGHOpenSSL ASN.1 Decoder Integer Truncation Vulnerability
- CVE-2026-42771MEDIUMOpenSSL Email Validation Out-of-Bounds Read Denial of Service
- CVE-2025-41278HIGHWaterfall WF-500 RX Host Out-of-Bounds Read Remote Code Execution
- CVE-2026-0076HIGHAndroid ResourceTypes.cpp Out-of-Bounds Read Privilege Escalation
- CVE-2026-10017HIGHChrome Sandbox Escape via Out-of-Bounds Read in Headless Mode
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10930HIGHChrome ANGLE Out-of-Bounds Read on macOS