7 New OpenSSL Vulnerabilities - 1 Critical, 6 High Severity

Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates th

Denial of service in OpenSSL QUIC implementation allows remote unauthenticated attackers to exhaust server memory by sending crafted PATH_CHALLENGE frames that trigger unbounded memory growth in the QUIC handler. The flaw affects OpenSSL branches 3.4.x, 3.5.x, 3.6.x, and 4.0.0, and is fixed in the 4.0.1 security release alongside numerous other CVEs. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the network-reachable, no-auth nature of QUIC server endpoints makes the issue operationally relevant for TLS/QUIC-facing services.

Integrity-check bypass in OpenSSL 3.4.x, 3.5.x, 3.6.x, and 4.0.0 allows PKCS#12 files protected with PBMAC1 to be accepted even when secured by dangerously short HMAC keys, undermining the authentication of the keystore contents. Vendor patches are available in 3.4.6, 3.5.7, 3.6.3, and 4.0.1, and no public exploit identified at time of analysis; EPSS is 0.00% and the issue is not on the CISA KEV list.

Out-of-bounds read in OpenSSL 4.0.0's `X509_VERIFY_PARAM_set1_email()` function can crash applications performing email-based X.509 certificate verification when processing attacker-influenced email input, resulting in a denial-of-service condition. The vulnerability is scoped to OpenSSL 4.0.0 only and was patched in the June 9, 2026 security release (4.0.1), which bundled fixes for 18 CVEs. No public exploit identified at time of analysis and no CISA KEV listing.

NULL pointer dereference in OpenSSL's CRMF EncryptedValue decryption path crashes the affected process, creating a remotely triggerable denial-of-service condition across five actively maintained OpenSSL branches (3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.x). The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, score 5.9) confirms network reachability with no authentication required, but high attack complexity limits trivial mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the broad version coverage and OpenSSL's ubiquitous deployment make patching a priority for any infrastructure using certificate management protocols.

Null pointer dereference in OpenSSL's password-based CMS decryption path enables remote denial of service against applications that process CMS EnvelopedData with password-based key derivation. The flaw affects a wide range of OpenSSL branches spanning 1.0.2 through 4.0.0, making the exposure surface unusually broad across long-term support and current releases. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the CVSS score of 5.9 (Medium) reflects the high attack complexity required to trigger the condition.

Trust anchor substitution in OpenSSL's CMP rootCaKeyUpdate handler allows a network-positioned attacker with low privileges to bypass certificate validation via a cert/issuer field confusion bug (CWE-295), affecting four actively maintained OpenSSL branches. The high confidentiality impact (C:H) reflects the potential for a substituted malicious trust anchor to undermine TLS certificate chains, enabling downstream interception of protected communications. No public exploit identified at time of analysis; vendor patch released 2026-06-09 across all affected branches.

Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates th