CVE-2026-22795

Issue summary: An invalid or NULL pointer dereference can happen in<br /> an application processing a malformed PKCS#12 file.<br /> <br /> Impact summary: An application processing a malformed PKCS#12 file can be<br /> caused to dereference an invalid or NULL pointer on memory read, resulting<br /> in a Denial of Service.<br /> <br /> A type confusion vulnerability exists in PKCS#12 parsing code where<br /> an ASN1_TYPE union member is accessed without first validating the type,<br /> causing an invalid pointer read.<br /> <br /> The location is constrained to a 1-byte address space, meaning any<br /> attempted pointer manipulation can only target addresses between 0x00 and 0xFF.<br /> This range corresponds to the zero page, which is unmapped on most modern<br /> operating systems and will reliably result in a crash, leading only to a<br /> Denial of Service. Exploiting this issue also requires a user or application<br /> to process a maliciously crafted PKCS#12 file. It is uncommon to accept<br /> untrusted PKCS#12 files in applications as they are usually used to store<br /> private keys which are trusted by definition. For these reasons, the issue<br /> was assessed as Low severity.<br /> <br /> The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br /> <br /> OpenSSL 1.0.2 is not affected by this issue.