CVE-2026-45447
published 2026-06-09CVE-2026-45447: Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.72%
84.2th percentile
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
trigger a use-after-free during PKCS#7 signature verification.
Impact summary: A use-after-free may result in process crashes, heap
corruption, or potentially remote code execution.
When processing a PKCS#7 or S/MIME signed message, if the SignedData
digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may
incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent
use of the BIO by the calling application results in a use-after-free
condition.
In the common case this occurs when the application later calls
BIO_free() on the BIO originally passed to PKCS7_verify(). Depending
on allocator behavior and application-specific BIO usage patterns, this
may result in a crash or other memory corruption. In some application
contexts this may potentially be exploitable for remote code execution.
Applications that process PKCS#7 or S/MIME signed messages using OpenSSL
PKCS#7 APIs may be affected. Applications using the CMS APIs for this
processing are not affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | >= 1.0.2 < 1.0.2zq | 1.0.2zq |
| openssl | openssl | >= 1.1.1 < 1.1.1zh | 1.1.1zh |
| openssl | openssl | >= 3.0.0 < 3.0.21 | 3.0.21 |
| openssl | openssl | >= 3.4.0 < 3.4.6 | 3.4.6 |
| openssl | openssl | >= 3.5.0 < 3.5.7 | 3.5.7 |
| openssl | openssl | >= 3.6.0 < 3.6.3 | 3.6.3 |
| openssl | openssl | >= 4.0.0 < 4.0.1 | 4.0.1 |
| ubuntu | openssl | — | — |
| ubuntu | openssl1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: a PKCS#7 or S/MIME signed message with the SignedData digestAlgorithms field present as an empty ASN.1 SET causes OpenSSL to incorrectly free a caller-owned BIO inside PKCS7_verify(), leading to a use-after-free. ↗
- →The use-after-free is most commonly observable when the calling application subsequently calls BIO_free() on the BIO originally passed to PKCS7_verify(); monitor for double-free / heap corruption crashes in processes that handle PKCS#7 or S/MIME messages. ↗
- →Only applications using the OpenSSL PKCS#7 APIs (PKCS7_verify()) are affected; applications using the CMS APIs are NOT affected — scope detection/triage accordingly. ↗
- →OpenSSL versions 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2 are all vulnerable; use version detection to identify unpatched instances in the environment. ↗
- →FIPS module builds (OpenSSL 4.0, 3.6, 3.5, 3.4, 3.0) are NOT affected because the vulnerable code is outside the FIPS module boundary — exclude these from alerts to reduce false positives. ↗
- ·Fixed versions are: OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, 3.0.21, 1.1.1zh (premium), 1.0.2zq (premium). Verify deployed version against these thresholds when writing version-based detection rules. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
OpenSSL up to 4.0.0 PKCS7_verify digestAlgorithms use after free (Nessus ID 320333)
vuldb·2026-06-11·CVSS 8.8
CVE-2026-45447 [HIGH] OpenSSL up to 4.0.0 PKCS7_verify digestAlgorithms use after free (Nessus ID 320333)
A vulnerability labeled as critical has been found in OpenSSL up to 3.0.20/3.4.5/3.5.6/3.6.2/4.0.0. Affected by this issue is the function PKCS7_verify. The manipulation of the argument digestAlgorithms results in use after free.
This vulnerability is identified as CVE-2026-45447. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.
ghsa_unreviewed·2026-06-09
CVE-2026-45447 [CRITICAL] CWE-416 Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
trigger a use-after-free during PKCS#7 signature verification.
Impact summary: A use-after-free may result in process crashes, heap
corruption, or potentially remote code execution.
When processing a PKCS#7 or S/MIME signed message, if the SignedData
digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may
incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent
use of the BIO by the calling application results in a use-after-free
condition.
In the common case this occurs when the application later calls
BIO_free() on the BIO originally passed to PKCS7_verify(). Depending
on allocator behavior and application-specific BIO usage patterns, this
may result in a crash or other memory corrupti
Red Hat
openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()
vendor_redhat·2026-06-09·CVSS 8.8
CVE-2026-45447 [HIGH] CWE-825 openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()
openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
trigger a use-after-free during PKCS#7 signature verification.
Impact summary: A use-after-free may result in process crashes, heap
corruption, or potentially remote code execution.
When processing a PKCS#7 or S/MIME signed message, if the SignedData
digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may
incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent
use of the BIO by the calling application results in a use-after-free
condition.
In the common case this occurs when the application later calls
BIO_free() on the BIO originally passed to PKCS7_verify(). Depending
on allocator behavior and application-specific BIO usage patterns
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2026-06-09·CVSS 7.5
CVE-2026-45447 [HIGH] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1
content parsing. An attacker could possibly use this issue to cause OpenSSL
to crash, resulting in a denial of service, or obtain sensitive
information. (CVE-2026-34180)
Pavol Zacik and Alex Gaynor discovered that OpenSSL incorrectly accepted
PKCS#12 files with short HMAC keys when using PBMAC1. An attacker could
possibly use this issue to bypass integrity checks. This issue only
affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-34181)
Asim Viladi Oglu Manizada and Alex Gaynor discovered that OpenSSL could
accept forged CMS AuthEnvelopedData messages. An attacker could possibly
use this issue to bypass message authentication
BSD
FreeBSD-SA-26:35.openssl: Multiple vulnerabilities in OpenSSL
bsd_advisories·2026-06-09·CVSS 7.5
CVE-2026-34180 [HIGH] FreeBSD-SA-26:35.openssl: Multiple vulnerabilities in OpenSSL
FreeBSD-SA-26:35.openssl Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in OpenSSL
Category: contrib
Module: openssl
Announced: 2026-06-09
Credits: See linked vendor advisory in References section
Affects: All supported versions of FreeBSD.
Corrected: 2026-06-09 19:17:36 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:15 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:54 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:54 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:16 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:46 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-7383, CVE-2026-9076, CVE-2026-34180,
CVE-2026-34181, CVE-2026-34182, CVE-2026-34183,
CVE-2026-42764, CVE-2026-42766, CVE-2026-42767,
CVE-2026-42768, CVE-2026-42769, CVE-2026-42770,
CVE-202
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2026-06-09·CVSS 7.5
CVE-2026-45447 [HIGH] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: USN-8414-1 fixed several vulnerabilities in OpenSSL.
USN-8414-1 fixed several vulnerabilities in OpenSSL. This update provides
the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Frank Buss discovered that OpenSSL had a heap buffer over-read in ASN.1
content parsing. An attacker could possibly use this issue to cause OpenSSL
to crash, resulting in a denial of service, or obtain sensitive
information. (CVE-2026-34180)
Asim Viladi Oglu Manizada and Alex Gaynor discovered that OpenSSL could
accept forged CMS AuthEnvelopedData messages. An attacker could possibly
use this issue to bypass message authentication checks. (CVE-2026-34182)
Mayank Jangid, Kushal Khemka, Hari
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-45447 openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()
bugzilla·2026-05-27·CVSS 8.8
CVE-2026-45447 [HIGH] CVE-2026-45447 openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()
CVE-2026-45447 openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()
Heap Use-After-Free in OpenSSL PKCS7_verify()
Heap Use-After-Free in OpenSSL PKCS7_verify() (CVE-2026-45447)
Severity: High
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
trigger a use-after-free during PKCS#7 signature verification.
Impact summary: A use-after-free may result in process crashes, heap
corruption, or potentially remote code execution.
When processing a PKCS#7 or S/MIME signed message, if the SignedData
digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may
incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent
use of the BIO by the calling application results in a use-after-free
condition.
In the common case this occurs when the application la
Hackernews
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-11645 [HIGH] ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.
This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else's entry point.
Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.
## ⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day - G
https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63chttps://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496chttps://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273ehttps://openssl-library.org/news/secadv/20260609.txthttps://access.redhat.com/errata/RHSA-2026:25237https://access.redhat.com/errata/RHSA-2026:25239https://access.redhat.com/errata/RHSA-2026:26275https://access.redhat.com/errata/RHSA-2026:26319https://access.redhat.com/errata/RHSA-2026:29197https://access.redhat.com/security/cve/CVE-2026-45447https://bugzilla.redhat.com/show_bug.cgi?id=2481898https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45447.json
2026-06-09
Published