Type Confusion Vulnerability in OpenSSL's PKCS#7 Signature Verification
CVE-2026-22796

5.3MEDIUM

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
27 January 2026

What is CVE-2026-22796?

A type confusion vulnerability exists in the signature verification process of PKCS#7 data in OpenSSL. This flaw occurs when the ASN1_TYPE union member is accessed without proper type validation, potentially leading to an invalid or NULL pointer dereference. This defect may allow an attacker to cause a Denial of Service by supplying a malformed signed PKCS#7 data to applications performing signature verification. As a result, invoking the problematic PKCS7_digest_from_attributes() function can lead to crashes, impacting system availability. Impact assessments indicate that this vulnerability is limited in severity due to the legacy nature of the PKCS#7 API, with a recommendation for migration to the CMS API for enhanced security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OpenSSL 3.6.0 < 3.6.1

OpenSSL 3.5.0 < 3.5.5

OpenSSL 3.4.0 < 3.4.4

References

https://openssl-library.org/news/secadv/20260127.txt
vendor-advisory
https://github.com/openssl/openssl/commit/ef2fb66ec571564...
patch
https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4...
patch

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Luigino Camastra (Aisle Research)
Bob Beck
JSON
.