Skip to main content

OpenSSL EUVD-2026-35486

| CVE-2026-42769 MEDIUM
Improper Certificate Validation (CWE-295)
2026-06-09 GHSA-rpj2-p5pj-r33v
OpenSSL Information Disclosure Red Hat
5.3
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Red Hat
5.9 LOW
qualitative

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 09, 2026 - 21:39 vuln.today
Analysis Generated
Jun 09, 2026 - 21:39 vuln.today
CVSS changed
Jun 09, 2026 - 21:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 09, 2026 - 11:43 nvd
MEDIUM 5.3
CVE Published
Jun 09, 2026 - 11:43 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via GitHub release of openssl/openssl. NVD scoring and full description are pending.

AnalysisAI

Trust anchor substitution in OpenSSL's CMP rootCaKeyUpdate handler allows a network-positioned attacker with low privileges to bypass certificate validation via a cert/issuer field confusion bug (CWE-295), affecting four actively maintained OpenSSL branches. The high confidentiality impact (C:H) reflects the potential for a substituted malicious trust anchor to undermine TLS certificate chains, enabling downstream interception of protected communications. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Position as rogue CMP server or MitM in CMP traffic path
Delivery
Await client-initiated rootCaKeyUpdate operation
Exploit
Deliver crafted CMP rootCaKeyUpdate response
Install
cert/issuer field typo bypasses trust anchor validation in OpenSSL
C2
Attacker-controlled CA certificate installed as trust anchor
Execute
Issue fraudulent certificates signed by attacker CA
Impact
Decrypt or intercept victim TLS-protected communications
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be running an OpenSSL CMP client (PR:L reflects the low-privilege operational context of a PKI management agent) that is actively initiating or processing a rootCaKeyUpdate operation - a root CA key rollover, which is a relatively infrequent but operationally critical event. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium, AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) correctly captures the operational constraints: high attack complexity (AC:H) reflects the requirement to be positioned as a rogue CMP server or man-in-the-middle in the CMP communication path, and low privileges (PR:L) indicates some level of authenticated or operational access is required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a rogue CMP server - or positioned to intercept CMP traffic between an OpenSSL CMP client and its PKI management endpoint - sends a crafted rootCaKeyUpdate response during a root CA key rollover event. The cert/issuer field confusion in OpenSSL's validation logic causes the client to install the attacker's supplied certificate as the new trust anchor without verifying its authentic chain to the prior root CA. …
Remediation Upgrade to the vendor-released patched versions: OpenSSL 4.0.1 (for 4.0.x users), 3.6.3 (for 3.6.x users), 3.5.7 (for 3.5.x users), or 3.4.6 (for 3.4.x users), as confirmed by the OpenSSL security advisory at https://openssl-library.org/news/secadv/20260609.txt and the GitHub release at https://github.com/openssl/openssl/releases/tag/openssl-4.0.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49440 HIGH
7.4 Jun 16

Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin
CVE-2026-48491 HIGH
Jun 16

mTLS bypass in Traefik 3.7.0-3.7.1 lets unauthenticated remote clients reach backends protected by wildcard-router TLSOp
CVE-2026-53622 HIGH
Jun 16

Authentication bypass in Traefik v3.6.17, v3.7.0, and v3.7.1 allows unauthenticated remote attackers to bypass router-sp

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-35486 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy