CVE-2026-22796 · threatengine.sh

Home/CVE/Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_T

CVE

CVE-2026-22796

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_T

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type.

When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead.

For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

MEDIUM · CVSS 5.3 EPSS 0.0052

Schedule remediation

SSVC automatable: yes - attacks can be scripted at scale

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-754Improper Check for Unusual or Exceptional Conditions

▤

Affected Products & Versions

7

openssl>= 1.0.2 and < 1.0.2zn
openssl>= 1.1.1 and < 1.1.1ze
openssl>= 3.0.0 and < 3.0.19
openssl>= 3.3.0 and < 3.3.6
openssl>= 3.4.0 and < 3.4.4
openssl>= 3.5.0 and < 3.5.5
openssl>= 3.6.0 and < 3.6.1

▣

Scoring & Timeline

5.3

MEDIUM · CVSS v3.1 · openssl-security@openssl.org

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD27 Jan 2026 · 04:16 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

SSVC triage · cisa-vulnrichment

Exploitation

none

Automatable

yes

Technical impact

partial

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

30

rhsaRHSA-2026:7261Moderate
suse-csafSUSE-SU-2026:20373-1
suse-csafSUSE-SU-2026:0498-1
rhsaRHSA-2026:4943Important
suse-csafSUSE-SU-2026:20349-1
Show all 30 vendor advisoriessuse-csafopenSUSE-SU-2026:20152-1
suse-csafSUSE-SU-2026:0358-1
suse-csafSUSE-SU-2026:0359-1
suse-csafSUSE-SU-2026:0360-1
suse-csafSUSE-SU-2026:20211-1
suse-csafSUSE-SU-2026:20223-1
suse-csafSUSE-SU-2026:0346-1
suse-csafSUSE-SU-2026:0332-1
suse-csafSUSE-SU-2026:0333-1
suse-csafSUSE-SU-2026:0343-1
suse-csafSUSE-SU-2026:0309-1
suse-csafSUSE-SU-2026:0310-1
suse-csafSUSE-SU-2026:0311-1
suse-csafSUSE-SU-2026:0312-1
suse-csafSUSE-SU-2026:0331-1
usnUSN-7980-2
usnUSN-7980-1
rhsaRHSA-2026:3228Important
rhsaRHSA-2026:1736Important
rhsaRHSA-2026:2563Important
rhsaRHSA-2026:1473Important
rhsaRHSA-2026:2485Important
rhsaRHSA-2026:1472Important
siemens-csafSSA-265688
oracle-cpuoracle-cpu-MySQL-Connectors-8576--CVE-2026-22796

🔗

References & Sources

7

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4Patch

https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49Patch

https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12Patch

https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373ePatch

https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2Patch

https://openssl-library.org/news/secadv/20260127.txtVendor Advisory

Show all 7 references

https://cert-portal.siemens.com/productcert/html/ssa-265688.html

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin