What is the CVSS score of CVE-2026-45446?

CVE-2026-45446 has a CVSS 3.1 base score of 4.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-45446?

Yes, a patch is available for CVE-2026-45446. Update the affected software to the latest version immediately.

OpenSSL CVE-2026-45446

EUVD-2026-35490 MEDIUM

Missing Cryptographic Step (CWE-325)

2026-06-09

GHSA-7phf-qpm5-q6p3

OpenSSL Information Disclosure

4.8

CVSS 3.1 · Vendor

Severity by source

Vendor (CNA) PRIMARY

4.8 MEDIUM

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

SUSE

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Red Hat

3.7 LOW

qualitative

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 09, 2026 - 20:28 vuln.today

Analysis Generated

Jun 09, 2026 - 20:28 vuln.today

CVSS changed

Jun 09, 2026 - 20:22 NVD

4.8 (MEDIUM)

CVE Published

Jun 09, 2026 - 11:43 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 09, 2026 - 11:43 nvd

MEDIUM 4.8

Description PRE-NVD

Disclosed via GitHub release of openssl/openssl. NVD scoring and full description are pending.

AnalysisAI

Incorrect authentication tag processing for empty messages in OpenSSL's AES-GCM-SIV and AES-SIV cipher modes enables network-positioned attackers to bypass integrity guarantees on empty ciphertext, yielding limited confidentiality and integrity violations (CVSS 4.8, CWE-325). Affected branches span OpenSSL 3.0.x through 4.0.0, all patched in the OpenSSL 4.0.1 security release dated 2026-06-09. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify service using OpenSSL AES-GCM-SIV or AES-SIV

Delivery

Craft empty ciphertext payload with forged authentication tag

Exploit

Deliver payload to target endpoint

Execution

Missing tag verification step skipped for empty message

Impact

Forged message accepted, integrity and confidentiality partially bypassed

Access

Identify service using OpenSSL AES-GCM-SIV or AES-SIV

Delivery

Craft empty ciphertext payload with forged authentication tag

Exploit

Deliver payload to target endpoint

Execution

Missing tag verification step skipped for empty message

Impact

Forged message accepted, integrity and confidentiality partially bypassed

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target application to explicitly use OpenSSL's AES-GCM-SIV or AES-SIV authenticated encryption modes via the EVP API and to process empty plaintext messages through those modes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.8 Medium score with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N accurately reflects a real but constrained risk: the attack is network-reachable without authentication or user interaction, but requires high complexity tied to a very specific empty-message edge case in non-default cipher modes. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker targeting a TLS-layer or application-layer service that uses OpenSSL's AES-GCM-SIV or AES-SIV modes submits a crafted protocol message with empty ciphertext and a manipulated authentication tag. Because the tag processing path for empty messages does not execute the required cryptographic verification step (CWE-325), the forged message is accepted as authentic, enabling limited integrity and confidentiality violations. …
Remediation	Upgrade to the patched OpenSSL releases published 2026-06-09: OpenSSL 4.0.1 for the 4.0.x branch, 3.6.3 for the 3.6.x branch, 3.5.7 for the 3.5.x branch, 3.4.6 for the 3.4.x branch, and 3.0.21 for the 3.0.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49440 HIGH This Week

7.4 Jun 16

Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin

CVE-2026-48491 HIGH This Week

Jun 16

mTLS bypass in Traefik 3.7.0-3.7.1 lets unauthenticated remote clients reach backends protected by wildcard-router TLSOp

CVE-2026-53622 HIGH This Week

Jun 16

Authentication bypass in Traefik v3.6.17, v3.7.0, and v3.7.1 allows unauthenticated remote attackers to bypass router-sp

Vendor StatusVendor

SUSE

Severity: Moderate

Product	Status
SUSE Linux Enterprise Module for Basesystem 15 SP7	Affected
SUSE Linux Enterprise Server 15 SP7	Affected
SUSE Linux Enterprise Desktop 15 SP7	Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7	Affected
SUSE Linux Enterprise High Performance Computing 15 SP7	Affected

CVE-2026-45446 vulnerability details – vuln.today

Back

OpenSSL CVE-2026-45446

Severity by source

CVSS VectorVendor

Lifecycle Timeline

Description PRE-NVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code