CVE-2026-45445
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/06/2026
Última modificación:
16/06/2026
Descripción
*** Pendiente de traducción *** Issue summary: When an application drives an AES-OCB context through the<br />
public EVP_Cipher() one-shot interface, the application-supplied<br />
initialisation vector (IV) is silently discarded.<br />
<br />
Impact summary: Every message encrypted under the same key uses the<br />
same effective nonce regardless of the IV supplied by the caller,<br />
resulting in (key, nonce) reuse and loss of confidentiality. If the<br />
same code path is used to compute the authentication tag, the tag<br />
depends only on the (key, IV) pair and not on the plaintext or<br />
ciphertext, allowing universal forgery of arbitrary ciphertext from a<br />
single captured message.<br />
<br />
OpenSSL provides two ways to drive a cipher: the documented streaming<br />
interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level<br />
one-shot, EVP_Cipher(), whose documentation explicitly recommends<br />
against use by applications in favour of EVP_CipherUpdate() and<br />
EVP_CipherFinal_ex(). The OCB provider&#39;s streaming handler flushes<br />
the application-supplied IV into the OCB context before processing<br />
data; the one-shot handler did not. Every call to EVP_Cipher() on an<br />
AES-OCB context therefore ran with the all-zero key-derived offset<br />
state left by cipher initialisation, regardless of the caller&#39;s IV.<br />
<br />
If EVP_EncryptFinal_ex() is subsequently used to obtain the<br />
authentication tag, the deferred IV setup runs at that point and<br />
clears the running checksum that should have been accumulated over the<br />
plaintext. The resulting tag is a function of (key, IV) only and<br />
verifies against any ciphertext produced under the same (key, IV)<br />
pair.<br />
<br />
The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a<br />
TLS cipher suite, and libssl does not call EVP_Cipher() in any case.<br />
Applications that drive AES-OCB through the documented streaming AEAD<br />
API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only<br />
applications that combine the AES-OCB cipher with the EVP_Cipher()<br />
one-shot API are vulnerable.<br />
<br />
The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by<br />
this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
Impacto
Puntuación base 3.x
7.50
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.0.0 (incluyendo) | 3.0.21 (excluyendo) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.4.0 (incluyendo) | 3.4.6 (excluyendo) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.5.0 (incluyendo) | 3.5.7 (excluyendo) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.6.0 (incluyendo) | 3.6.3 (excluyendo) |
| cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451
- https://github.com/openssl/openssl/commit/787a6dfba81b7b09c1e05ab31396c0cd7c36b3f7
- https://github.com/openssl/openssl/commit/7ac4715234ee72d9f3c93426a2c08554b5b771af
- https://github.com/openssl/openssl/commit/843c9b94ca9c2ed248bb30127bb4f3d7af0d607c
- https://github.com/openssl/openssl/commit/983d54b5cce8d16147548ed1a37892d1720bbab6
- https://openssl-library.org/news/secadv/20260609.txt



