CVE-2026-42768: OpenSSL CMS and PKCS7 Decryption Can Expose RSA Private-Key Oracles

Impact first. Patch exposed OpenSSL deployments that process attacker-controlled CMS or S/MIME messages.

CVE-2026-42768 affects OpenSSL applications using CMS_decrypt() or PKCS7_decrypt() with RSA PKCS#1 v1.5 key transport. The flaw can create a Bleichenbacher-style oracle when an attacker can submit crafted CMS or S/MIME content and observe error codes, decryption output, or related success and failure signals.

OpenSSL rates the issue Low severity. CISA-ADP lists CVSS 3.1 as 3.7 LOW with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, as shown in the NVD entry for CVE-2026-42768. NVD enrichment was still pending when the record was viewed.

The affected OpenSSL branches are 4.0, 3.6, 3.5, and 3.4. Fixed versions are OpenSSL 4.0.1, 3.6.3, 3.5.7, and 3.4.6, according to the OpenSSL security advisory from June 9, 2026. OpenSSL says the FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected because CMS and S/MIME processing occurs outside the FIPS module boundary.

The title supplied from Microsoft Security Update Guide appears to be a loading shell, not the authoritative advisory. Public CVE data identifies OpenSSL Software Foundation as the source. Treat this as an OpenSSL issue unless Microsoft later publishes product-specific guidance for software it ships or maintains.

What Is Affected

Affected products and code paths are narrow.

The vulnerable functions are CMS_decrypt() and PKCS7_decrypt() in OpenSSL. The risk applies when applications accept attacker-supplied CMS or S/MIME messages and expose enough feedback for an oracle. The feedback may be explicit error codes. It may also be indirect behavior, such as different response bodies, logs, timing-adjacent workflow outcomes, or returned decrypted content.

Affected OpenSSL versions:

• OpenSSL 4.0, fix in OpenSSL 4.0.1
• OpenSSL 3.6, fix in OpenSSL 3.6.3
• OpenSSL 3.5, fix in OpenSSL 3.5.7
• OpenSSL 3.4, fix in OpenSSL 3.4.6

OpenSSL 3.0, 1.1.1, and 1.0.2 are described differently. The advisory says those branches do not implement RSA implicit rejection and are affected by variants of Bleichenbacher and Marvin attacks, but a full behavioral fix would require a breaking change that is not feasible for stable branches. Operators using those versions should treat RSA PKCS#1 v1.5 key transport in CMS or S/MIME as a risk area and reduce exposure at the application layer.

Technical Details

This is an oracle bug. That matters.

A Bleichenbacher-style attack abuses small differences in how RSA PKCS#1 v1.5 decryption failures are reported. The attacker does not need the private key. The attacker sends chosen ciphertexts and observes whether each one produced valid padding, a usable content-encryption key, a different error, or a different decrypted result. Repeating that process can recover information about protected data. In some constructions, it can also support signature forgery.

OpenSSL describes two attack variants for CVE-2026-42768.

First variant. An application calls CMS_decrypt() or PKCS7_decrypt() without providing the recipient certificate. OpenSSL then iterates over KeyTransRecipientInfo entries. An attacker can craft a CMS or S/MIME message with two recipient entries. One entry wraps a real content-encryption key for the victim. The second carries attacker-chosen probe ciphertext. If the application exposes the relevant error state, the attacker can iterate probes until the behavior reveals valid PKCS#1 v1.5 padding.

That becomes the oracle.

Second variant. The application does provide the recipient certificate, but the recipient is not found. OpenSSL substitutes a random key. If the attacker can compare both the error code and the decryption result, the same class of oracle can appear.

This does not automatically mean every mail client, gateway, or document processing system is exploitable. Preconditions are material. The attacker needs a path to submit CMS or S/MIME messages. The target must process them with vulnerable OpenSSL APIs. The target must reveal enough information to distinguish useful decryption states. OpenSSL says it is not aware of applications that give a remote attacker the needed opportunity and considers such applications unlikely.

Do not ignore it.

Low severity does not mean no operational work. CMS and S/MIME tend to appear in systems that handle sensitive messages, certificates, encrypted documents, signing workflows, and enterprise mail automation. The affected primitive involves private RSA keys. Even a hard-to-reach oracle deserves rapid remediation when keys protect business data or identity systems.

Why The Fix Works

The fix changes RSA PKCS#1 v1.5 handling for this path.

OpenSSL now uses an implicit rejection mechanism when RSA PKCS#1 v1.5 key transport is in use. Instead of exposing a clean failure signal on invalid padding, the decryption operation returns a deterministic plaintext value derived from the ciphertext and private key. That removes the crisp success-or-failure behavior that oracle attacks rely on.

This follows the direction of the CFRG RSA guidance draft linked by OpenSSL. The principle is simple. Do not let attackers distinguish padding failures from valid decryptions through program behavior.

There is a trade-off. When a recipient certificate is not supplied, OpenSSL may select the last recipient entry that produces a key with a plausible length. That can result in garbage decrypted content. OpenSSL states the correct application behavior is to provide the recipient certificate so the intended RecipientInfo can be identified.

That guidance is operationally useful. Applications should not call decryption APIs in a way that forces the library to guess which recipient entry belongs to the local key.

Required Action

Patch now where OpenSSL 4.0, 3.6, 3.5, or 3.4 is present.

Upgrade targets:

• OpenSSL 4.0 users, upgrade to 4.0.1
• OpenSSL 3.6 users, upgrade to 3.6.3
• OpenSSL 3.5 users, upgrade to 3.5.7
• OpenSSL 3.4 users, upgrade to 3.4.6

Then restart dependent services. Rebuilding OpenSSL is not enough if long-running processes still have the old library mapped into memory.

Inventory first where needed. Check operating system packages, containers, appliances, static builds, language runtimes, and vendor products that bundle OpenSSL. Many applications do not use the system OpenSSL package at runtime. Container images and statically linked binaries are common sources of stale crypto code.

Application owners should also review CMS and S/MIME handling.

Required checks:

• Identify uses of CMS_decrypt() and PKCS7_decrypt().
• Confirm whether attacker-controlled CMS, PKCS#7, or S/MIME input reaches those APIs.
• Provide the recipient certificate when decrypting recipient-specific messages.
• Normalize error responses for decryption failures.
• Avoid returning raw OpenSSL error distinctions to remote users.
• Avoid exposing decrypted garbage content as a meaningful success signal.
• Prefer modern key transport designs where protocol and interoperability requirements allow it.

Security teams should monitor for unusual CMS or S/MIME processing failures after patching. The fix may change behavior in edge cases where applications relied on old recipient-selection behavior. Those applications need code correction, not rollback.

Timeline

• January 30, 2026: Related OpenSSL ASN.1 issue CVE-2026-34180 reported, part of the same June advisory batch.
• April 16, 2026: CVE-2026-42768 reported by Alex Gaynor of Anthropic.
• June 9, 2026: OpenSSL published the security advisory covering CVE-2026-42768 and other vulnerabilities.
• June 9, 2026: NVD published CVE-2026-42768.
• June 9, 2026: CISA-ADP added CVSS 3.1 scoring of 3.7 LOW.
• June 10, 2026: NVD last modified the record.

Bottom Line

CVE-2026-42768 is a low-severity OpenSSL cryptographic oracle with high-value failure modes. Exploitation requires specific application behavior, but the affected code handles private-key operations for CMS and S/MIME. Upgrade OpenSSL. Review decryption API usage. Remove distinguishable decryption errors from remote attack paths.

Authoritative references: OpenSSL advisory, NVD CVE record, CVE program record, and OpenSSL source repository.