CVE-2026-45447
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
09/06/2026
Last modified:
15/07/2026
Description
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could<br />
trigger a use-after-free during PKCS#7 signature verification.<br />
<br />
Impact summary: A use-after-free may result in process crashes, heap<br />
corruption, or potentially remote code execution.<br />
<br />
When processing a PKCS#7 or S/MIME signed message, if the SignedData<br />
digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may<br />
incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent<br />
use of the BIO by the calling application results in a use-after-free<br />
condition.<br />
<br />
In the common case this occurs when the application later calls<br />
BIO_free() on the BIO originally passed to PKCS7_verify(). Depending<br />
on allocator behavior and application-specific BIO usage patterns, this<br />
may result in a crash or other memory corruption. In some application<br />
contexts this may potentially be exploitable for remote code execution.<br />
<br />
Applications that process PKCS#7 or S/MIME signed messages using OpenSSL<br />
PKCS#7 APIs may be affected. Applications using the CMS APIs for this<br />
processing are not affected.<br />
<br />
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this<br />
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 1.0.2 (including) | 1.0.2zq (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 1.1.1 (including) | 1.1.1zh (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.0.21 (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.4.0 (including) | 3.4.6 (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.5.0 (including) | 3.5.7 (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.6.0 (including) | 3.6.3 (excluding) |
| cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c
- https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8
- https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54
- https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c
- https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e
- https://openssl-library.org/news/secadv/20260609.txt
- https://access.redhat.com/errata/RHSA-2026:25237
- https://access.redhat.com/errata/RHSA-2026:25239
- https://access.redhat.com/errata/RHSA-2026:26275
- https://access.redhat.com/errata/RHSA-2026:26319
- https://access.redhat.com/errata/RHSA-2026:29197
- https://access.redhat.com/errata/RHSA-2026:34102
- https://access.redhat.com/errata/RHSA-2026:35869
- https://access.redhat.com/errata/RHSA-2026:36215
- https://access.redhat.com/errata/RHSA-2026:36217
- https://access.redhat.com/errata/RHSA-2026:39009
- https://access.redhat.com/errata/RHSA-2026:39012
- https://access.redhat.com/errata/RHSA-2026:39981
- https://access.redhat.com/security/cve/CVE-2026-45447
- https://bugzilla.redhat.com/show_bug.cgi?id=2481898
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45447.json



