Crypto Processing Flaw in OpenSSL Affects Multiple Versions
CVE-2026-34182

9.1CRITICAL

Key Information:

Vendor

OpenSSL

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-34182?

OpenSSL's Cryptographic Message Services (CMS) encounters a critical input validation issue with the cipher and tag length fields of AuthEnvelopedData containers. This defect may allow attackers to exploit encryption weaknesses, potentially gaining unauthorized access to key-equivalent functionalities. By crafting malicious messages or altering existing ones, an attacker can bypass integrity checks and decrypt sensitive information without detection. The flaw notably affects how non-AEAD ciphers are handled and allows for tag length manipulation, leading to potential brute force attacks. Affected versions include 4.0.1 and several others, calling for urgent attention and patching.

Affected Version(s)

OpenSSL 4.0.0 < 4.0.1

OpenSSL 3.6.0 < 3.6.3

OpenSSL 3.5.0 < 3.5.7

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Asim Viladi Oglu Manizada
Alex Gaynor (Anthropic)
Ying Dong
Haiyang Huang
Neil Horman
.