Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-9076

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-125 Lectura fuera de límites
Fecha de publicación:
09/06/2026
Última modificación:
16/06/2026

Descripción

*** Pendiente de traducción *** Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)<br /> processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK<br /> cipher can trigger a heap out-of-bounds read in kek_unwrap_key().<br /> <br /> Impact summary: A heap buffer over-read may trigger a crash which leads to<br /> Denial of Service for an application if the input buffer ends at a memory<br /> page boundary and the following page is unmapped. There is no information<br /> disclosure as the over-read bytes are not revealed to the attacker.<br /> <br /> The key unwrapping function performs a check-byte test as specified in the<br /> RFC that reads 7 bytes from a heap allocation that is based on the wrapped<br /> key length from the message. There is a minimum length check based on the<br /> block length of the wrapping cipher. However the cipher is selected from<br /> an OID carried in the attacker&amp;#39;s PWRI keyEncryptionAlgorithm with no<br /> requirement that the cipher be a block cipher. When an attacker selects<br /> a stream-mode cipher the guard will be ineffective and the allocated buffer<br /> containing the unwrapped key can be too small to fit the check-bytes<br /> specified in the RFC and a buffer over-read can happen.<br /> <br /> Applications calling CMS_decrypt() or CMS_decrypt_set1_password()<br /> (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS<br /> data are vulnerable to this issue. No password knowledge is required: the<br /> over-read happens during the unwrap attempt before any authentication<br /> succeeds.<br /> <br /> The over-read is limited to a few bytes and is not written to output, so<br /> there is no information disclosure. Triggering a crash requires the<br /> allocation to border unmapped memory, which is unlikely with the normal<br /> allocator.<br /> <br /> The FIPS modules are not affected by this issue.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 1.0.2 (incluyendo) 1.0.2zq (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 1.1.1 (incluyendo) 1.1.1zh (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.0.0 (incluyendo) 3.0.21 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.4.0 (incluyendo) 3.4.6 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.5.0 (incluyendo) 3.5.7 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.6.0 (incluyendo) 3.6.3 (excluyendo)
cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:*