OpenSSL users should patch now if applications decrypt untrusted CMS password-recipient data.
OpenSSL has fixed CVE-2026-9076, a heap out-of-bounds read in CMS password-based decryption. The flaw can crash applications that process attacker-supplied CMS data through password-recipient decryption paths.
Affected products are OpenSSL 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2. The OpenSSL FIPS modules are not affected. Microsoft’s Security Update Guide entry tracks the CVE, but the vulnerability source is the OpenSSL Software Foundation.
Severity needs careful handling. OpenSSL rates CVE-2026-9076 as Low in its June 9, 2026 security advisory. NVD had not published its own base score at the time of review. CISA ADP lists CVSS 3.1 score 7.5 High with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Treat exposed CMS decryption services as higher priority.
Impact
The impact is denial of service. An attacker can supply crafted CMS data that causes OpenSSL to read beyond a heap allocation during password-based recipient key unwrap processing. If memory layout conditions line up, the process can crash.
The bug does not disclose secret data. OpenSSL says the over-read bytes are not returned to the attacker. The issue is still operationally relevant. A crash in a mail gateway, document processing service, certificate workflow, automation worker, or API endpoint can interrupt service. Repeated inputs can turn a rare crash condition into a reliability incident.
The vulnerable code path is reached by applications that call CMS_decrypt() or CMS_decrypt_set1_password() on untrusted CMS content. The command-line equivalent is openssl cms -decrypt -pwri_password .... No password knowledge is required. The over-read happens during unwrap processing before authentication succeeds.
Affected Versions
Upgrade according to the OpenSSL branch in use:
| Branch | Vulnerable | Fixed version |
|---|---|---|
| OpenSSL 4.0 | Yes | 4.0.1 |
| OpenSSL 3.6 | Yes | 3.6.3 |
| OpenSSL 3.5 | Yes | 3.5.7 |
| OpenSSL 3.4 | Yes | 3.4.6 |
| OpenSSL 3.0 | Yes | 3.0.21 |
| OpenSSL 1.1.1 | Yes | 1.1.1zh, premium support only |
| OpenSSL 1.0.2 | Yes | 1.0.2zq, premium support only |
Do not rely only on openssl version from a shell. Many products statically link OpenSSL or ship private copies. Check application containers, appliances, language runtimes, embedded agents, mail processing components, VPN products, cryptographic middleware, and vendor-bundled libraries.
Technical Details
CMS, Cryptographic Message Syntax, is used for signed and encrypted messages. It underpins S/MIME and other message-protection workflows. Password Recipient Info, or PWRI, allows content encryption keys to be wrapped using password-derived material.
CVE-2026-9076 sits in that unwrap path. The vulnerable function is kek_unwrap_key(). It performs a check-byte test defined by RFC 3211. That test reads seven bytes from a heap allocation based on the wrapped key length supplied in the CMS message.
The guard condition assumes the key-encryption-key cipher behaves like a block cipher. The attacker controls the algorithm identifier in the PWRI keyEncryptionAlgorithm field. If the attacker selects a stream-mode cipher, the length guard can become ineffective. OpenSSL can allocate a buffer too small for the later check-byte read. The result is CWE-125, out-of-bounds read.
The read is small. The failure condition is narrow. A crash requires the allocation to sit at the edge of mapped memory, with the next page unmapped. That is why OpenSSL rates the issue Low. The remote attack surface can still matter when CMS data is accepted from unauthenticated users or external systems.
This is not a TLS certificate bug. It is not a general HTTPS server flaw. It affects applications that process untrusted CMS password-encrypted messages through the vulnerable OpenSSL CMS APIs.
Mitigation
Patch first. Upgrade OpenSSL to the fixed release for the deployed branch. Rebuild and redeploy applications that statically link OpenSSL. Restart long-running services after library updates.
Restrict exposure next. Block unauthenticated CMS password-recipient decryption where it is not required. Reject untrusted CMS inputs before they reach CMS_decrypt() or CMS_decrypt_set1_password(). Add size, format, and source controls at service boundaries.
Review error handling. Treat CMS decryption failures as hostile input. Avoid returning detailed parsing or unwrap errors to external callers. Rate-limit repeated failures. Log source, size, algorithm OIDs, and request path for investigation.
Inventory affected code. Search for direct use of CMS_decrypt, CMS_decrypt_set1_password, and openssl cms -decrypt -pwri_password. Check service wrappers and job workers. Check third-party components that process S/MIME, CMS, PKCS#7-adjacent workflows, secure document packages, or encrypted message archives.
For systems pinned to OpenSSL 1.1.1 or 1.0.2, confirm premium support access or move to a supported branch. These branches are no longer suitable for broad unmanaged deployment.
Detection
Look for crashes in processes that parse CMS or S/MIME input. Relevant indicators include segmentation faults, allocator faults, abnormal worker exits, repeated CMS decryption errors, and malformed CMS payloads using unexpected stream-mode algorithms in password-recipient encryption metadata.
Network signatures may be incomplete. CMS content can be transported through mail, APIs, file uploads, message queues, or batch jobs. Endpoint and application telemetry are more useful than perimeter matching alone.
Security teams should prioritize internet-facing services, mail processing services, document ingestion systems, and automation pipelines that decrypt CMS messages from external parties.
Timeline
| Date | Event |
|---|---|
| May 16, 2026 | Bhabani Sankar Das reported the issue to OpenSSL. |
| May 20, 2026 | Haruki Oyama of Waseda University independently reported the issue. |
| June 9, 2026 | OpenSSL published the advisory and fixed releases. |
| June 9, 2026 | NVD published CVE-2026-9076 and marked it awaiting enrichment. |
| June 9, 2026 | CISA ADP added CVSS 3.1 score 7.5 High. |
| June 10, 2026 | NVD recorded updated OpenSSL references and change history. |
Required Action
Update OpenSSL now where CMS password-based decryption is exposed to untrusted input. Verify linked library versions. Rebuild dependent software. Reduce external access to CMS decryption paths until patched. Monitor for crashes and repeated malformed CMS inputs.
Comments
Please log in or register to join the discussion