Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45445

Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/06/2026
Última modificación:
16/06/2026

Descripción

*** Pendiente de traducción *** Issue summary: When an application drives an AES-OCB context through the<br /> public EVP_Cipher() one-shot interface, the application-supplied<br /> initialisation vector (IV) is silently discarded.<br /> <br /> Impact summary: Every message encrypted under the same key uses the<br /> same effective nonce regardless of the IV supplied by the caller,<br /> resulting in (key, nonce) reuse and loss of confidentiality. If the<br /> same code path is used to compute the authentication tag, the tag<br /> depends only on the (key, IV) pair and not on the plaintext or<br /> ciphertext, allowing universal forgery of arbitrary ciphertext from a<br /> single captured message.<br /> <br /> OpenSSL provides two ways to drive a cipher: the documented streaming<br /> interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level<br /> one-shot, EVP_Cipher(), whose documentation explicitly recommends<br /> against use by applications in favour of EVP_CipherUpdate() and<br /> EVP_CipherFinal_ex(). The OCB provider&amp;#39;s streaming handler flushes<br /> the application-supplied IV into the OCB context before processing<br /> data; the one-shot handler did not. Every call to EVP_Cipher() on an<br /> AES-OCB context therefore ran with the all-zero key-derived offset<br /> state left by cipher initialisation, regardless of the caller&amp;#39;s IV.<br /> <br /> If EVP_EncryptFinal_ex() is subsequently used to obtain the<br /> authentication tag, the deferred IV setup runs at that point and<br /> clears the running checksum that should have been accumulated over the<br /> plaintext. The resulting tag is a function of (key, IV) only and<br /> verifies against any ciphertext produced under the same (key, IV)<br /> pair.<br /> <br /> The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a<br /> TLS cipher suite, and libssl does not call EVP_Cipher() in any case.<br /> Applications that drive AES-OCB through the documented streaming AEAD<br /> API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only<br /> applications that combine the AES-OCB cipher with the EVP_Cipher()<br /> one-shot API are vulnerable.<br /> <br /> The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by<br /> this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.0.0 (incluyendo) 3.0.21 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.4.0 (incluyendo) 3.4.6 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.5.0 (incluyendo) 3.5.7 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.6.0 (incluyendo) 3.6.3 (excluyendo)
cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:*