Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45446

Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/06/2026
Última modificación:
16/06/2026

Descripción

*** Pendiente de traducción *** Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV<br /> (RFC 8452) mishandle the authentication of AAD (Additional Authenticated<br /> Data) with an empty ciphertext allowing a forgery of such messages.<br /> <br /> Impact summary: An attacker can forge empty messages with arbitrary AAD<br /> to the victim&amp;#39;s application using these ciphers.<br /> <br /> AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD<br /> modes: they accept a key, nonce, optional AAD (bytes that are authenticated<br /> but not encrypted), and plaintext, and produces ciphertext plus a 16-byte<br /> tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only<br /> if the tag is verified succesfully.<br /> <br /> In OpenSSL&amp;#39;s provider implementation of these ciphers, the expected tag is<br /> computed only when decryption function is invoked with non-empty data.<br /> If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without<br /> invocation of the ciphertext update, which can happen when the received<br /> ciphertext length is zero, the tag is never recalculated and still holds its<br /> all-zeros value.<br /> <br /> When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty<br /> ciphertext, and all-zeros tag passes authentication under any key they do not<br /> know, single-shot. When AES-SIV is used, for mounting the attack it&amp;#39;s<br /> necessary for the application to reuse the decryption context without<br /> resetting the key.<br /> <br /> AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since<br /> OpenSSL 3.2.<br /> <br /> No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support<br /> either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must<br /> implement their own protocol and use the EVP interface. Also they must skip the<br /> ciphertext update when a message with an empty ciphertext arrives.<br /> <br /> The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this<br /> issue, as these algorithms are not FIPS approved and the affected code is<br /> outside the OpenSSL FIPS module boundary.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.0.0 (incluyendo) 3.0.21 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.4.0 (incluyendo) 3.4.6 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.5.0 (incluyendo) 3.5.7 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.6.0 (incluyendo) 3.6.3 (excluyendo)
cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:*