OpenSSL 4.0.1 Security Release Vulnerabilities

Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in `PKCS7_verify()`. ([CVE-2026-45447]) * Fixed CMS `AuthEnvelopedData` processing may accept forged messages. ([CVE-2026-34182]) * Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. ([CVE-2026-34183]) * Fixed double-free when checking OCSP stapled respo

Heap use-after-free in OpenSSL's PKCS7_verify() function affects multiple supported branches (1.0.2, 1.1.1, 3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.0) and is fixed in OpenSSL 4.0.1. Authenticated remote attackers able to submit crafted PKCS#7 signed data to a vulnerable application can trigger memory corruption leading to high-impact compromise of confidentiality, integrity, and availability per CVSS 8.8. No public exploit identified at time of analysis; EPSS is low (0.12%, 30th percentile) and CISA SSVC reports no observed exploitation, though the flaw is rated automatable with total technical impact.

Heap buffer overflow in OpenSSL's ASN.1 multibyte string conversion routine allows remote attackers to corrupt memory and potentially achieve code execution against applications using affected OpenSSL versions prior to 4.0.1. The flaw was disclosed via the OpenSSL 4.0.1 security patch release alongside 17 other CVEs and is classified as a high-severity issue (CVSS 8.1) with no public exploit identified at time of analysis.

Denial of service in OpenSSL 3.5.x, 3.6.x, and 4.0.0 stems from a NULL pointer dereference triggered during QUIC server initial packet handling, allowing remote unauthenticated attackers to crash affected servers by sending crafted QUIC traffic. The flaw was disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside multiple other CVEs; no public exploit identified at time of analysis and no CISA KEV listing. Patched versions are available from the upstream project and downstream distributions including Ubuntu (USN-8414-1).

Denial-of-service in OpenSSL's ASN.1 content parser allows remote unauthenticated attackers to trigger a heap buffer over-read that can crash applications relying on the library for cryptographic parsing. Disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside more than a dozen other fixes, this issue affects every supported branch from 1.0.2 through 3.6 and 4.0. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the broad install base of OpenSSL across servers, clients, and embedded devices makes patching a priority.

Out-of-bounds read in OpenSSL's CMS password-based decryption code (CVE-2026-9076) allows remote attackers to cause denial of service against applications that decrypt attacker-supplied CMS messages. The flaw is fixed in OpenSSL 4.0.1 alongside a batch of other cryptographic vulnerabilities, with no public exploit identified at time of analysis and no CISA KEV listing. Multiple OpenSSL branches (1.0.2, 1.1.1, 3.0, 3.4, 3.5, 3.6, and 4.0.0) require updates per the upstream advisory.

Denial of service in OpenSSL 3.6.0-3.6.2 and 4.0.0 allows remote attackers to crash applications by triggering a NULL pointer dereference during certificate verification when OCSP checking is enabled. The flaw is patched in OpenSSL 4.0.1 (and 3.6.3) per the vendor's 2026-06-09 security advisory; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Confidentiality break in OpenSSL's AES-OCB implementation stems from the EVP_Cipher() code path ignoring the caller-supplied initialization vector (IV), causing the cipher to operate with a fixed/default IV instead. Affected branches include 3.0.x prior to 3.0.21, 3.4.x prior to 3.4.6, 3.5.x prior to 3.5.7, 3.6.x prior to 3.6.3, and 4.0.0, fixed in OpenSSL 4.0.1 and corresponding maintenance releases. With no public exploit identified at time of analysis and no CISA KEV listing, the issue is rated High (CVSS 7.5) due to high confidentiality impact via network-reachable cryptographic operations.

Denial of service in OpenSSL QUIC implementation allows remote unauthenticated attackers to exhaust server memory by sending crafted PATH_CHALLENGE frames that trigger unbounded memory growth in the QUIC handler. The flaw affects OpenSSL branches 3.4.x, 3.5.x, 3.6.x, and 4.0.0, and is fixed in the 4.0.1 security release alongside numerous other CVEs. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the network-reachable, no-auth nature of QUIC server endpoints makes the issue operationally relevant for TLS/QUIC-facing services.

Integrity-check bypass in OpenSSL 3.4.x, 3.5.x, 3.6.x, and 4.0.0 allows PKCS#12 files protected with PBMAC1 to be accepted even when secured by dangerously short HMAC keys, undermining the authentication of the keystore contents. Vendor patches are available in 3.4.6, 3.5.7, 3.6.3, and 4.0.1, and no public exploit identified at time of analysis; EPSS is 0.00% and the issue is not on the CISA KEV list.

Out-of-bounds read in OpenSSL 4.0.0's `X509_VERIFY_PARAM_set1_email()` function can crash applications performing email-based X.509 certificate verification when processing attacker-influenced email input, resulting in a denial-of-service condition. The vulnerability is scoped to OpenSSL 4.0.0 only and was patched in the June 9, 2026 security release (4.0.1), which bundled fixes for 18 CVEs. No public exploit identified at time of analysis and no CISA KEV listing.

Null pointer dereference in OpenSSL's password-based CMS decryption path enables remote denial of service against applications that process CMS EnvelopedData with password-based key derivation. The flaw affects a wide range of OpenSSL branches spanning 1.0.2 through 4.0.0, making the exposure surface unusually broad across long-term support and current releases. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the CVSS score of 5.9 (Medium) reflects the high attack complexity required to trigger the condition.

NULL pointer dereference in OpenSSL's CRMF EncryptedValue decryption path crashes the affected process, creating a remotely triggerable denial-of-service condition across five actively maintained OpenSSL branches (3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.x). The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H, score 5.9) confirms network reachability with no authentication required, but high attack complexity limits trivial mass exploitation. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the broad version coverage and OpenSSL's ubiquitous deployment make patching a priority for any infrastructure using certificate management protocols.

Trust anchor substitution in OpenSSL's CMP rootCaKeyUpdate handler allows a network-positioned attacker with low privileges to bypass certificate validation via a cert/issuer field confusion bug (CWE-295), affecting four actively maintained OpenSSL branches. The high confidentiality impact (C:H) reflects the potential for a substituted malicious trust anchor to undermine TLS certificate chains, enabling downstream interception of protected communications. No public exploit identified at time of analysis; vendor patch released 2026-06-09 across all affected branches.

Pre-NVD disclosure via GitHub release 'OpenSSL 4.0.1' (openssl/openssl). OpenSSL 4.0.1 is a security patch release. The most severe CVE fixed in this release is High. This release incorporates the following bug fixes and mitigations: * Fixed heap use-after-free in `PKCS7_verify()`. ([CVE-2026-45447]) * Fixed CMS `AuthEnvelopedData` processing may accept forged messages. ([CVE-2026-34182]) * Fixed unbounded memory growth in the QUIC `PATH_CHALLENGE` handler. ([CVE-2026-34183]) * Fixed double-free when checking OCSP stapled respo

Incorrect authentication tag processing for empty messages in OpenSSL's AES-GCM-SIV and AES-SIV cipher modes enables network-positioned attackers to bypass integrity guarantees on empty ciphertext, yielding limited confidentiality and integrity violations (CVSS 4.8, CWE-325). Affected branches span OpenSSL 3.0.x through 4.0.0, all patched in the OpenSSL 4.0.1 security release dated 2026-06-09. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

FFC-DH peer validation in OpenSSL incorrectly accepts an attacker-supplied `q` (subgroup order) parameter instead of using the locally trusted value, undermining the cryptographic integrity of Diffie-Hellman key exchange. Affected branches span OpenSSL 3.0.x, 3.4.x, 3.5.x, 3.6.x, and 4.0.0, with patched releases issued across all five branches on 2026-06-09. With a CVSS score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) and no confirmed active exploitation or public proof-of-concept, this is a moderate-priority patch item rather than an emergency response trigger - though its broad reach across widely deployed OpenSSL branches warrants timely remediation.

Bleichenbacher oracle in OpenSSL's CMS_decrypt() and PKCS7_decrypt() functions exposes RSA-encrypted message content to unauthenticated remote attackers who can submit adaptive chosen-ciphertext queries against multi-RecipientInfo CMS/PKCS7 structures. Four active OpenSSL branches are affected (3.4.x, 3.5.x, 3.6.x, and 4.0.x), with patches released under the coordinated OpenSSL security advisory on 2026-06-09. No public exploit code and no active exploitation have been identified at time of analysis; SSVC rates this non-automatable with partial technical impact, consistent with the attack's high operational complexity.