Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

A flaw was found in OpenSSL. A remote attacker could exploit a NULL pointer dereference vulnerability in the Cryptographic Message Syntax (CMS) decryption process by providing a specially crafted password-encrypted CMS message. This occurs because the keyDerivationAlgorithm field, which is optional, is dereferenced without proper validation. Successful exploitation leads to an application crash, resulting in a Denial of Service.

This issue is rated as Low impact. A NULL pointer dereference in OpenSSL's CMS decryption can be triggered by a specially crafted password-encrypted CMS message, leading to an Red Hat application crash and Denial of Service. This affects applications that perform password-based CMS decryption. Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat Enterprise Linux 10 2026-06-11T00:00:00Z RHSA-2026:25237 openssl-1:3.5.5-4.el10_2 Red Hat Enterprise Linux 9 2026-06-11T00:00:00Z RHSA-2026:25239 openssl-1:3.5.5-4.el9_8 Red Hat Enterprise Linux 9 2026-06-11T00:00:00Z RHSA-2026:25239 openssl-1:3.5.5-4.el9_8 Red Hat Update Infrastructure 5 2026-06-16T00:00:00Z RHSA-2026:26319 rhui5/cds-rhel9:1781525684 Red Hat Update Infrastructure 5 2026-06-16T00:00:00Z RHSA-2026:26319 rhui5/haproxy-rhel9:1781525671 Red Hat Update Infrastructure 5 2026-06-16T00:00:00Z RHSA-2026:26319 rhui5/installer-rhel9:1781525693 Red Hat Update Infrastructure 5 2026-06-16T00:00:00Z RHSA-2026:26319 rhui5/rhua-rhel9:1781525739 Red Hat Enterprise Linux 10 Fix deferred edk2 Red Hat Enterprise Linux 10 Fix deferred shim Red Hat Enterprise Linux 10 Fix deferred shim-unsigned-aarch64 Red Hat Enterprise Linux 10 Fix deferred shim-unsigned-x64 Red Hat Enterprise Linux 6 Fix deferred openssl Red Hat Enterprise Linux 7 Fix deferred ovmf Red Hat Enterprise Linux 8 Fix deferred compat-openssl10 Red Hat Enterprise Linux 8 Fix deferred edk2 Red Hat Enterprise Linux 8 Fix deferred mingw-openssl Red Hat Enterprise Linux 8 Fix deferred openssl Red Hat Enterprise Linux 8 Fix deferred shim Red Hat Enterprise Linux 8 Fix deferred shim-unsigned-x64 Red Hat Enterprise Linux 9 Fix deferred compat-openssl11 Red Hat Enterprise Linux 9 Fix deferred edk2 Red Hat Enterprise Linux 9 Fix deferred shim Red Hat Enterprise Linux 9 Fix deferred shim-unsigned-aarch64 Red Hat Enterprise Linux 9 Fix deferred shim-unsigned-x64 Red Hat OpenShift Container Platform 4 Fix deferred rhcos https://www.cve.org/CVERecord?id=CVE-2026-42766 https://nvd.nist.gov/vuln/detail/CVE-2026-42766