Invalid Pointer Dereference in OpenSSL Parsing of Malformed PKCS#12 Files
CVE-2026-22795

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
27 January 2026

What is CVE-2026-22795?

An application processing a malformed PKCS#12 file can suffer from an invalid or NULL pointer dereference, leading to a Denial of Service. The issue arises when the ASN1_TYPE union is accessed without validating the type, triggering a read from an invalid memory address. This vulnerability is limited to a confined memory space, typically causing a crash due to attempts to manipulate unmapped addresses. While exploiting this requires processing untrusted PKCS#12 files—rare in practice—affected versions of OpenSSL could potentially face service interruptions unless patched.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OpenSSL 3.6.0 < 3.6.1

OpenSSL 3.5.0 < 3.5.5

OpenSSL 3.4.0 < 3.4.4

References

https://openssl-library.org/news/secadv/20260127.txt
vendor-advisory
https://github.com/openssl/openssl/commit/ef2fb66ec571564...
patch
https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Luigino Camastra (Aisle Research)
Bob Beck
JSON
.