CVE-2026-45446
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/06/2026
Última modificación:
16/06/2026
Descripción
*** Pendiente de traducción *** Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV<br />
(RFC 8452) mishandle the authentication of AAD (Additional Authenticated<br />
Data) with an empty ciphertext allowing a forgery of such messages.<br />
<br />
Impact summary: An attacker can forge empty messages with arbitrary AAD<br />
to the victim&#39;s application using these ciphers.<br />
<br />
AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD<br />
modes: they accept a key, nonce, optional AAD (bytes that are authenticated<br />
but not encrypted), and plaintext, and produces ciphertext plus a 16-byte<br />
tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only<br />
if the tag is verified succesfully.<br />
<br />
In OpenSSL&#39;s provider implementation of these ciphers, the expected tag is<br />
computed only when decryption function is invoked with non-empty data.<br />
If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without<br />
invocation of the ciphertext update, which can happen when the received<br />
ciphertext length is zero, the tag is never recalculated and still holds its<br />
all-zeros value.<br />
<br />
When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty<br />
ciphertext, and all-zeros tag passes authentication under any key they do not<br />
know, single-shot. When AES-SIV is used, for mounting the attack it&#39;s<br />
necessary for the application to reuse the decryption context without<br />
resetting the key.<br />
<br />
AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since<br />
OpenSSL 3.2.<br />
<br />
No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support<br />
either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must<br />
implement their own protocol and use the EVP interface. Also they must skip the<br />
ciphertext update when a message with an empty ciphertext arrives.<br />
<br />
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this<br />
issue, as these algorithms are not FIPS approved and the affected code is<br />
outside the OpenSSL FIPS module boundary.
Impacto
Puntuación base 3.x
4.80
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.0.0 (incluyendo) | 3.0.21 (excluyendo) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.4.0 (incluyendo) | 3.4.6 (excluyendo) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.5.0 (incluyendo) | 3.5.7 (excluyendo) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.6.0 (incluyendo) | 3.6.3 (excluyendo) |
| cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://github.com/openssl/openssl/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc
- https://github.com/openssl/openssl/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3
- https://github.com/openssl/openssl/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85
- https://github.com/openssl/openssl/commit/daca0f48e4a69a2892a62262bad59e62a8a76598
- https://github.com/openssl/openssl/commit/eec5e9bf0d867333b8495e456f5235d225798a68
- https://openssl-library.org/news/secadv/20260609.txt



