Skip to main content

OpenSSL CVE-2026-42771

| EUVD-2026-35488 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-09 GHSA-6fmj-jmjq-qcmg
OpenSSL Information Disclosure Buffer Overflow
6.2
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 09, 2026 - 20:28 vuln.today
Analysis Generated
Jun 09, 2026 - 20:28 vuln.today
CVSS changed
Jun 09, 2026 - 20:22 NVD
6.2 (MEDIUM)
CVE Published
Jun 09, 2026 - 11:43 nvd
MEDIUM 6.2
CVE Published
Jun 09, 2026 - 11:43 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via GitHub release of openssl/openssl. NVD scoring and full description are pending.

AnalysisAI

Out-of-bounds read in OpenSSL 4.0.0's X509_VERIFY_PARAM_set1_email() function can crash applications performing email-based X.509 certificate verification when processing attacker-influenced email input, resulting in a denial-of-service condition. The vulnerability is scoped to OpenSSL 4.0.0 only and was patched in the June 9, 2026 security release (4.0.1), which bundled fixes for 18 CVEs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local execution context
Delivery
Supply crafted email string to target application
Exploit
Application passes string to X509_VERIFY_PARAM_set1_email()
Execution
Out-of-bounds read triggered in OpenSSL 4.0.0
Impact
Application crash (denial of service)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires local access (AV:L) - remote unauthenticated exploitation against default network services is not supported by the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.2 score with vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H reflects a locally exploitable denial-of-service with low complexity and no privilege requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker, or a networked application that passes user-supplied email values to OpenSSL's certificate verification logic, submits a crafted oversized or malformed email string to a call of `X509_VERIFY_PARAM_set1_email()`. The out-of-bounds read triggers a segmentation fault or similar memory access violation, crashing the consuming application or service and causing a denial of service. …
Remediation Upgrade to OpenSSL 4.0.1, which is the vendor-released patch that resolves CVE-2026-42771 and 17 additional CVEs in the same release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49440 HIGH
7.4 Jun 16

Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin
CVE-2026-48491 HIGH
Jun 16

mTLS bypass in Traefik 3.7.0-3.7.1 lets unauthenticated remote clients reach backends protected by wildcard-router TLSOp
CVE-2026-53622 HIGH
Jun 16

Authentication bypass in Traefik v3.6.17, v3.7.0, and v3.7.1 allows unauthenticated remote attackers to bypass router-sp

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed

Share

CVE-2026-42771 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy