{ "threat_severity" : "Low", "public_date" : "2026-06-09T00:00:00Z", "bugzilla" : { "description" : "openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate", "id" : "2481893", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2481893" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-295", "details" : [ "Issue Summary: An error in the callback used to verify the certificate\nprovided in a Root CA key update Certificate Management Protocol (CMP)\nmessage response rendered the certificate validation ineffectual, which\ncould lead to escalation of credentials from the Registration Authority (RA)\nlevel to the root Certification Authority (root CA) level.\nImpact Summary: The Registration Autority could replace the root CA\ncertificate for the CMP clients with an arbitrary root CA certificate.\nOne of the parts of the Certificate Management Protocol (CMP), specified in\nRFC 9810, is Root Certification Authority (root CA) key Rollover,\nwhich is sent by the server in a message with type 'id-it-rootCaKeyUpdate'.\nAs part of these messages, 'newWithOld' certificate, the new root CA\ncertificate signed with the old root CA key, is provided, and verifying its\nsignature is crucial for transferring the trust from the old CA key to the\nnew one.\nThe 'id-it-rootCaKeyUpdate' messages are expected to be processed with\nOSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld'\ncertificate. A typo in the certificate chain building code led to adding\nan incorrect certificate ('newWithOld' instead of 'oldRoot') to the\ncertificate chain, rendering the certificate verification process ineffectual\n(only the issuer name and the algorithm OIDs were verified by other parts\nof the verification code).\nAn attacker who already has credentials that satisfy the CMP message\nprotection checks can generate a new key pair and use a crafted self-signed\ncertificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP\nclients would accept as a new trust anchor.\nSignificant preconditions for the attack (having valid RA-level credentials)\nare the reason the issue was assigned Low severity.\nThe FIPS modules are not affected by this issue, as the affected code is\noutside the OpenSSL FIPS module boundary.", "A flaw was found in the Certificate Management Protocol (CMP) implementation within OpenSSL. An attacker with existing Registration Authority (RA) level credentials could exploit an error in the certificate verification process during a Root Certificate Authority (CA) key update. This vulnerability allows the attacker to replace the root CA certificate for CMP clients with a fraudulent one. The primary consequence is an escalation of privileges, enabling the attacker to gain control equivalent to the root CA." ], "statement" : "This issue has a Low impact as it requires an attacker to already possess valid Registration Authority (RA) level credentials to exploit. A flaw in the Certificate Management Protocol (CMP) root CA key update process could allow an RA to substitute the root CA certificate for CMP clients with an arbitrary certificate, potentially leading to a trust-anchor substitution. FIPS modules are not affected.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-06-11T00:00:00Z", "advisory" : "RHSA-2026:25237", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "openssl-1:3.5.5-4.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-06-11T00:00:00Z", "advisory" : "RHSA-2026:25239", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "openssl-1:3.5.5-4.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-06-11T00:00:00Z", "advisory" : "RHSA-2026:25239", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "openssl-1:3.5.5-4.el9_8" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-06-16T00:00:00Z", "advisory" : "RHSA-2026:26319", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/cds-rhel9:1781525684" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-06-16T00:00:00Z", "advisory" : "RHSA-2026:26319", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/haproxy-rhel9:1781525671" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-06-16T00:00:00Z", "advisory" : "RHSA-2026:26319", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/installer-rhel9:1781525693" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-06-16T00:00:00Z", "advisory" : "RHSA-2026:26319", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/rhua-rhel9:1781525739" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "edk2", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "shim", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "shim-unsigned-aarch64", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "shim-unsigned-x64", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Fix deferred", "package_name" : "openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "ovmf", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "compat-openssl10", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "edk2", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "mingw-openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "shim", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "shim-unsigned-x64", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "compat-openssl11", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "edk2", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "shim", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "shim-unsigned-aarch64", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "shim-unsigned-x64", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "rhcos", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42769\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42769" ], "name" : "CVE-2026-42769", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }