Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

A flaw was found in OpenSSL. An attacker controlling a Certificate Management Protocol (CMP) server, or acting as a man-in-the-middle, could craft a malicious CMP response. This response, containing a Certificate Request Message Format (CRMF) CertRepMessage with a specific malformed EncryptedValue structure, would trigger a NULL pointer dereference in the OpenSSL CMP client. This vulnerability leads to a crash of the application, resulting in a Denial of Service (DoS).

This is a Low severity issue. A null pointer dereference flaw in the OpenSSL Certificate Management Protocol (CMP) client could be triggered by an attacker-controlled CMP server. This could lead to a denial of service in applications that process untrusted CMP/CRMF messages. To mitigate this issue, ensure that OpenSSL CMP client applications only communicate with trusted Certificate Management Protocol (CMP) servers. If CMP client functionality is not required, consider disabling or restricting its use to reduce exposure. Red Hat Enterprise Linux 10 2026-06-11T00:00:00Z RHSA-2026:25237 openssl-1:3.5.5-4.el10_2 Red Hat Enterprise Linux 9 2026-06-11T00:00:00Z RHSA-2026:25239 openssl-1:3.5.5-4.el9_8 Red Hat Enterprise Linux 9 2026-06-11T00:00:00Z RHSA-2026:25239 openssl-1:3.5.5-4.el9_8 Red Hat Update Infrastructure 5 2026-06-16T00:00:00Z RHSA-2026:26319 rhui5/cds-rhel9:1781525684 Red Hat Update Infrastructure 5 2026-06-16T00:00:00Z RHSA-2026:26319 rhui5/haproxy-rhel9:1781525671 Red Hat Update Infrastructure 5 2026-06-16T00:00:00Z RHSA-2026:26319 rhui5/installer-rhel9:1781525693 Red Hat Update Infrastructure 5 2026-06-16T00:00:00Z RHSA-2026:26319 rhui5/rhua-rhel9:1781525739 Red Hat Enterprise Linux 10 Fix deferred edk2 Red Hat Enterprise Linux 10 Fix deferred shim Red Hat Enterprise Linux 10 Fix deferred shim-unsigned-aarch64 Red Hat Enterprise Linux 10 Fix deferred shim-unsigned-x64 Red Hat Enterprise Linux 6 Fix deferred openssl Red Hat Enterprise Linux 7 Fix deferred ovmf Red Hat Enterprise Linux 8 Fix deferred compat-openssl10 Red Hat Enterprise Linux 8 Fix deferred edk2 Red Hat Enterprise Linux 8 Fix deferred mingw-openssl Red Hat Enterprise Linux 8 Fix deferred openssl Red Hat Enterprise Linux 8 Fix deferred shim Red Hat Enterprise Linux 8 Fix deferred shim-unsigned-x64 Red Hat Enterprise Linux 9 Fix deferred compat-openssl11 Red Hat Enterprise Linux 9 Fix deferred edk2 Red Hat Enterprise Linux 9 Fix deferred shim Red Hat Enterprise Linux 9 Fix deferred shim-unsigned-aarch64 Red Hat Enterprise Linux 9 Fix deferred shim-unsigned-x64 Red Hat OpenShift Container Platform 4 Fix deferred rhcos https://www.cve.org/CVERecord?id=CVE-2026-42767 https://nvd.nist.gov/vuln/detail/CVE-2026-42767