Input Validation Flaw in OpenSSL PKCS#12 File Processing
CVE-2026-34181
7.4HIGH
What is CVE-2026-34181?
The vulnerability arises from inadequate input validation in OpenSSL's PKCS#12 file processing when using the PBMAC1 integrity mechanism. This flaw allows an attacker to create forged certificates and private keys with a 1 in 256 chance of being accepted by services reading PKCS#12 files. By crafting unencrypted PKCS#12 files with a PBMAC1 mechanism that includes an HMAC key of just one byte, attackers can exploit services relying on password authentication, thereby gaining unauthorized acceptance of their malicious certificates and keys.
Affected Version(s)
OpenSSL 4.0.0 < 4.0.1
OpenSSL 3.6.0 < 3.6.3
OpenSSL 3.5.0 < 3.5.7
References
CVSS V3.1
Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Pavol Žáčik (Red Hat)
Alex Gaynor (Anthropic)
Alicja Kario (Red Hat)