Crypto Processing Flaw in OpenSSL Affects Multiple Versions
CVE-2026-34182
What is CVE-2026-34182?
OpenSSL's Cryptographic Message Services (CMS) encounters a critical input validation issue with the cipher and tag length fields of AuthEnvelopedData containers. This defect may allow attackers to exploit encryption weaknesses, potentially gaining unauthorized access to key-equivalent functionalities. By crafting malicious messages or altering existing ones, an attacker can bypass integrity checks and decrypt sensitive information without detection. The flaw notably affects how non-AEAD ciphers are handled and allows for tag length manipulation, leading to potential brute force attacks. Affected versions include 4.0.1 and several others, calling for urgent attention and patching.
Affected Version(s)
OpenSSL 4.0.0 < 4.0.1
OpenSSL 3.6.0 < 3.6.3
OpenSSL 3.5.0 < 3.5.7
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved