כותרת Penligent

CVE-2026-45447, OpenSSL PKCS#7 Use-After-Free in Real Parser Paths

CVE-2026-45447 is a heap use-after-free in OpenSSL’s PKCS7_verify() function. The bug is triggered by a specially crafted PKCS#7 or S/MIME signed message where the SignedData.digestAlgorithms field is present as an empty ASN.1 SET. OpenSSL’s own June 9, 2026 advisory rates the issue High and states that the impact may include process crashes, heap corruption, or, in some application contexts, potentially remote code execution. The most important operational detail is narrower than the headline: applications are exposed when they process attacker-supplied PKCS#7 or S/MIME signed messages through OpenSSL PKCS#7 APIs, not merely because OpenSSL is installed on a host. (OpenSSL Library)

That distinction matters because OpenSSL sits everywhere. A fleet may have thousands of hosts with OpenSSL packages, containers, statically linked binaries, language runtimes, appliances, developer tools, and security products. CVE-2026-45447 does not make every ordinary HTTPS listener equally dangerous. A standard web server using OpenSSL only for TLS termination is not the same risk as a mail security gateway that verifies inbound S/MIME signatures, a document-processing service that accepts PKCS#7 signed blobs, or a certificate portal that validates uploaded signed content.

The better triage question is not “Do we use OpenSSL?” It is “Can an attacker or untrusted partner cause our software to call PKCS7_verify() on PKCS#7 or S/MIME content?” Package presence tells you where patching is required. Parser reachability tells you where incident-level validation should start.

OpenSSL says the affected branches are 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2, with fixed versions 4.0.1, 3.6.3, 3.5.7, 3.4.6, 3.0.21, 1.1.1zh for premium support customers, and 1.0.2zq for premium support customers. The advisory also states that applications using CMS APIs for this processing are not affected by this specific issue, and that the FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected because the vulnerable code is outside the OpenSSL FIPS module boundary. (OpenSSL Library)

The practical consequence is clear. Patch the vulnerable OpenSSL versions, but prioritize validation around systems that ingest signed cryptographic containers from outside a trusted boundary. S/MIME mail flows, PKCS#7 upload endpoints, signature-verification services, PKI tooling, secure document workflows, software-update verification, and security appliances deserve more attention than generic TLS-only servers.

What is known about CVE-2026-45447

AreaCurrent technical understanding
CVECVE-2026-45447
רכיבOpenSSL PKCS#7 signature verification
פונקציהPKCS7_verify()
סוג הפגיעותHeap use-after-free, CWE-416 according to NVD change history
Trigger inputA crafted PKCS#7 or S/MIME signed message
Specific malformed structureSignedData.digestAlgorithms present as an empty ASN.1 SET
Ownership errorOpenSSL may incorrectly free a caller-owned BIO
Common follow-on eventThe calling application later uses or frees the same BIO
Potential impactCrash, heap corruption, or potentially remote code execution depending on allocator behavior and application usage
Affected API pathOpenSSL PKCS#7 APIs used for PKCS#7 or S/MIME signed message processing
Explicit non-affected pathCMS APIs for this processing, per OpenSSL advisory
FIPS statusOpenSSL FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected
Main remediationUpgrade to the fixed OpenSSL version for the branch
Main triage mistakeTreating all OpenSSL package presence as equivalent to reachable parser exposure

NVD’s entry repeats the core issue summary and adds useful context: the vulnerable path can lead to a use-after-free when a caller later uses the BIO originally passed to PKCS7_verify(), and the issue may result in crash, memory corruption, or potential remote code execution depending on allocator behavior and application-specific BIO usage patterns. NVD also shows that applications using OpenSSL PKCS#7 APIs may be affected, while applications using CMS APIs for this processing are not affected. (NVD)

Ubuntu’s CVE page lists the issue as High priority with a CVSS 3 score of 8.8, while NVD’s page shows a CISA-ADP CVSS vector in its change history and notes that NVD’s own enrichment had not yet provided an assessment at the time captured. That scoring variation should not distract from the remediation path. The vendor-fixed versions are clear, the vulnerable path is clear, and the exposure question is primarily about whether the PKCS#7 signed-message verification path is reachable from untrusted input. (Ubuntu)

Why this is not just another OpenSSL version alert

A lot of OpenSSL advisories get flattened into the same operational ticket: “upgrade OpenSSL everywhere.” That is necessary but incomplete. CVE-2026-45447 is a parser-path vulnerability. The dangerous condition is not only the library version. The dangerous condition is vulnerable library version plus reachable PKCS7_verify() usage plus attacker-influenced PKCS#7 or S/MIME signed content.

That is why the highest-risk systems are usually not the most obvious TLS endpoints. A public Nginx or Apache server using OpenSSL for normal HTTPS may still need package updates, but it is not automatically the most urgent CVE-2026-45447 validation target. A lower-profile service that accepts .p7m, .p7s, application/pkcs7-signature, application/pkcs7-mime, or S/MIME email can be much more relevant.

Parser vulnerabilities are often asymmetric in a way vulnerability dashboards do not capture well. The vulnerable component may be installed widely, but the exploitability is concentrated in workflows that parse attacker-controlled structured data. That means a version-only scanner can overstate some systems and understate others. A host can look vulnerable because it carries an affected OpenSSL package but never call the vulnerable function. Another host can look boring in asset inventory but run a bundled or statically linked copy inside a mail gateway, document processor, or proprietary appliance that processes hostile cryptographic containers all day.

The right model is a two-layer model. First, find affected OpenSSL versions. Second, prove which software paths parse untrusted PKCS#7 or S/MIME signed messages with OpenSSL PKCS#7 APIs. Skipping the first layer leaves you unpatched. Skipping the second leaves you unable to prioritize.

PKCS#7, S/MIME, and why PKCS7_verify() is a risky boundary

PKCS#7 is a cryptographic message format historically used for signed and encrypted data. S/MIME uses related message structures for signed and encrypted email. In practice, security teams see PKCS#7-like content in mail clients, mail gateways, document-signing tools, certificate workflows, firmware or package-signing systems, and legacy integrations that predate newer CMS-oriented implementations.

OpenSSL’s PKCS7_verify() verifies a PKCS#7 signedData structure. Its documented signature accepts a PKCS7 *p7, an optional certificate stack, an optional trusted certificate store, a BIO containing detached signed data if needed, a BIO output sink, and flags. The documentation describes certificate lookup, chain verification with the smimesign purpose, optional internal certificate and CRL handling, and final signature verification over the signed content. (OpenSSL Documentation)

That means PKCS7_verify() is not a superficial file-format parser. It sits at a trust boundary. It receives a structured cryptographic object, extracts certificates and signed attributes, handles content and BIO streams, performs certificate-chain logic, and verifies signatures. In a real application, the caller may pass BIO objects that it still owns and expects to manage after the verification call returns. That ownership assumption is exactly where CVE-2026-45447 becomes dangerous.

The OpenSSL documentation also states that PKCS7_verify() is very similar to CMS_verify(), while the CMS documentation describes a parallel API for CMS SignedData. For CVE-2026-45447, OpenSSL explicitly says applications using CMS APIs for this processing are not affected. That does not mean CMS is immune to every OpenSSL issue. It means this specific use-after-free is in the PKCS#7 path described by the advisory. (OpenSSL Documentation)

The presence of indata ו out BIO parameters is especially relevant. BIOs are OpenSSL’s I/O abstraction. A caller can use them for memory buffers, files, sockets, filters, or chained I/O behavior. A library function that incorrectly frees a BIO it does not own can destabilize the caller’s memory model. The caller may later call BIO_free() on the object it believes it still owns, or it may continue reading from or writing to that BIO. In memory safety terms, the bug is about object lifetime and ownership, not simply about accepting a malformed signature.

The vulnerable path, from empty ASN.1 SET to use-after-free

From Crafted Signed Message to Caller-Owned BIO Use-After-Free

The trigger described by OpenSSL is specific. The message must be a PKCS#7 or S/MIME signed message, and the SignedData.digestAlgorithms field must be present as an empty ASN.1 SET. During PKCS7_verify(), OpenSSL may incorrectly free a caller-owned BIO. A subsequent use of that BIO by the calling application results in a use-after-free condition. OpenSSL notes that the common case occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). (OpenSSL Library)

That chain can be simplified into five steps:

שלבWhat happensמדוע זה חשוב
1An attacker supplies a PKCS#7 or S/MIME signed messageThe input can cross a remote or semi-trusted boundary
2The message contains SignedData.digestAlgorithms as an empty ASN.1 SETThe malformed structure reaches the vulnerable parser condition
3The application calls PKCS7_verify()The vulnerable OpenSSL PKCS#7 verification path is invoked
4OpenSSL incorrectly frees a caller-owned BIOObject ownership is violated
5The caller later uses or frees the BIOUse-after-free can become crash, heap corruption, or potentially exploitable memory corruption

A use-after-free is dangerous because freed heap memory can be reused. The exact impact depends on allocator behavior, memory layout, compiler hardening, how the application uses the freed object, whether the object is freed again, whether an attacker can influence heap grooming, and whether the process runs in a constrained sandbox. That is why OpenSSL’s wording is careful. The advisory does not say every exposed application yields reliable code execution. It says the issue may result in crashes, heap corruption, and in some application contexts may potentially be exploitable for remote code execution. (OpenSSL Library)

For defenders, the safest assumption is that externally reachable parser crashes in privileged services are serious even when reliable RCE is not public. A mail gateway crash loop can be a denial-of-service incident. Heap corruption in a long-running process that handles sensitive messages is a more severe concern. A vulnerable parser reachable before authentication is much worse than an admin-only import feature, even if both use the same library.

Affected and fixed OpenSSL versions

OpenSSL’s official remediation table is straightforward. The branch-specific fixed versions are the source of truth for upstream OpenSSL, while Linux distributions, appliances, language runtimes, and vendors may backport patches into package versions that do not exactly match upstream version strings.

OpenSSL branchVulnerable according to OpenSSLFixed version or remediation target
4.0כןUpgrade to 4.0.1
3.6כןUpgrade to 3.6.3
3.5כןUpgrade to 3.5.7
3.4כןUpgrade to 3.4.6
3.0כןUpgrade to 3.0.21
1.1.1כןUpgrade to 1.1.1zh, premium support customers only
1.0.2כןUpgrade to 1.0.2zq, premium support customers only

OpenSSL’s advisory lists these exact upgrade targets. OpenSSL 3.0.21 release notes also identify 3.0.21 as a security patch release where the most severe CVE fixed was High and list CVE-2026-45447 as a fixed heap use-after-free in PKCS7_verify(). (OpenSSL Library)

Downstream status is more complicated. A distribution may ship openssl packages with backported security patches while retaining a version label that looks older than upstream. A container image may carry multiple OpenSSL copies. A commercial appliance may embed a private build. A language runtime may bundle OpenSSL or expose only a subset of OpenSSL functionality. For CVE-2026-45447, the question “what version is installed?” is only the beginning.

A strong patch ticket should include three fields: the OpenSSL branch or downstream package, the fixed vendor package or upstream target version, and the reachable parser workflows that rely on the affected code. Without the third field, teams risk spending most of their time on hosts with no reachable PKCS#7 path while missing the services that actually parse hostile signed messages.

Systems most likely to be exposed

The most likely exposure points are systems that accept, inspect, verify, or transform signed cryptographic containers. Some will be obvious, such as an S/MIME gateway. Others will be buried in import features, partner integrations, or operational tooling.

עדיפותSystem or workflowWhy it matters for CVE-2026-45447
קריטיInternet-facing S/MIME mail gatewayIt may process attacker-supplied signed mail automatically
קריטיSecure email appliance or DLP productThese systems often inspect inbound message structures before user interaction
גבוהDocument-signing verification serviceUsers may upload signed PKCS#7 objects for validation
גבוהCertificate import or PKI portalIt may parse signed or bundled cryptographic material from customers or partners
גבוהSecurity scanner or malware-analysis systemIt may intentionally ingest hostile signed objects
בינוניCI/CD workflow verifying signed artifactsExposure depends on whether untrusted contributors or partners can supply artifacts
בינוניInternal CA or PKI admin toolRisk depends on authentication, trust boundary, and parser isolation
Low for this CVEStandard TLS-only HTTPS serviceOpenSSL package presence still needs patching, but the vulnerable PKCS#7 path may not be reachable
Low for this CVEApplication using CMS APIs for this signed-message processingOpenSSL says CMS APIs are not affected by this issue

The most useful first cut is external reachability. If the application receives unauthenticated email, accepts uploaded signed files, processes partner-supplied cryptographic containers, or handles objects pulled from untrusted queues, it deserves early validation. If the parser is only reachable by a small group of administrators through an internal tool, patching is still required, but the urgency and compensating controls differ.

A second useful cut is automation. Human-opened S/MIME messages are still relevant, but an automated gateway that parses every inbound signed message before delivery has a very different exposure profile. Automated parsing turns every inbound message into a parser event. That makes crash detection, rate limiting, sandboxing, and patch timing more important.

A third cut is privilege. If the parser runs as root, has mailbox access, can read certificates or private keys, or sits on a sensitive network boundary, the blast radius is larger. A memory corruption bug in a low-privilege isolated worker is still serious. A memory corruption bug in a monolithic privileged gateway is worse.

What “CMS APIs are not affected” does and does not mean

OpenSSL’s advisory draws a clean line for this specific issue: applications using CMS APIs for this processing are not affected by CVE-2026-45447. That statement is useful for code review. If a service verifies signed messages only through the CMS verification APIs and does not call the legacy PKCS#7 verification path, CVE-2026-45447 should not be reachable through that signed-message workflow. (OpenSSL Library)

But there are two ways to misuse that fact.

The first mistake is assuming that any system with “CMS” in its documentation is safe. Many products use mixed terminology, support both PKCS#7 and CMS formats, or call different OpenSSL APIs depending on input type. The only reliable answer is code-path inspection or vendor confirmation.

The second mistake is assuming that CMS-related OpenSSL code had no other security issues. The same June 9, 2026 OpenSSL advisory also fixed CVE-2026-34182, a CMS AuthEnvelopedData processing issue that could accept forged messages, and CVE-2026-9076, an out-of-bounds read in CMS password-based decryption. Those are different bugs with different conditions, but they show why “we use CMS, not PKCS#7” is not a general substitute for patching. (OpenSSL Library)

A good long-term engineering move may still be to reduce legacy PKCS#7 API usage where modern CMS APIs are appropriate. But migration is not a same-day mitigation unless you can test it thoroughly. Signature verification code is security-sensitive. A rushed rewrite can create certificate-validation gaps, detached-content mistakes, or trust-store behavior changes.

Why the FIPS note matters but does not close the incident

OpenSSL says the FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected because the vulnerable code is outside the OpenSSL FIPS module boundary. That statement is precise and important. It means the affected code is not inside the validated FIPS module boundary. It does not mean a FIPS-using application cannot call vulnerable non-FIPS OpenSSL code elsewhere. (OpenSSL Library)

This distinction often causes confusion in regulated environments. FIPS status is about the cryptographic module boundary and validation scope. CVE reachability is about application behavior. A service can be configured to use FIPS-approved cryptographic operations and still include non-FIPS parsing code in the surrounding application. If that surrounding application calls PKCS7_verify() on attacker-supplied S/MIME data through an affected OpenSSL version, the FIPS note does not magically remove the parser risk.

For audit teams, the right evidence is not “FIPS is enabled.” The right evidence is “we identified whether the application uses affected OpenSSL PKCS#7 APIs for untrusted PKCS#7 or S/MIME signed messages, upgraded or confirmed patched packages, and validated the parsing workflow after remediation.”

Safe PoC demonstration, understanding the bug without weaponizing it

The following PoC is not an OpenSSL exploit. It does not generate a malformed PKCS#7 message, does not target PKCS7_verify(), does not crash a real service, and cannot be used against production systems. It is a local toy program that demonstrates the ownership mistake at the heart of CVE-2026-45447: a library-style function frees an object that the caller still owns, and the caller later uses or frees that object.

That is the safest way to understand the vulnerability class without publishing a weaponized payload.

/*
 * safe_uaf_model.c
 *
 * Educational toy model only.
 * This is NOT OpenSSL code.
 * This does NOT parse PKCS#7 or S/MIME.
 * This does NOT reproduce CVE-2026-45447.
 *
 * It demonstrates the ownership pattern:
 * - caller creates and owns an object
 * - library function incorrectly frees it on a malformed-input branch
 * - caller later uses or frees the same object
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

typedef struct {
    char label[32];
    int closed;
} ToyBIO;

static ToyBIO *toy_bio_new(const char *label) {
    ToyBIO *bio = malloc(sizeof(ToyBIO));
    if (!bio) {
        perror("malloc");
        exit(1);
    }

    snprintf(bio->label, sizeof(bio->label), "%s", label);
    bio->closed = 0;
    return bio;
}

static void toy_bio_write(ToyBIO *bio, const char *msg) {
    if (!bio) {
        return;
    }

    printf("[%s] %s\n", bio->label, msg);
}

static void toy_bio_free(ToyBIO *bio) {
    if (!bio) {
        return;
    }

    bio->closed = 1;
    free(bio);
}

/*
 * Simulates a vulnerable library function.
 *
 * The caller owns `caller_owned_bio`.
 * The function must not free it.
 * On the malformed branch, it incorrectly frees caller-owned memory.
 */
static int vulnerable_verify_model(ToyBIO *caller_owned_bio, int empty_digest_algorithms_set) {
    if (empty_digest_algorithms_set) {
        /*
         * Ownership bug:
         * the function frees an object it does not own.
         */
        toy_bio_free(caller_owned_bio);
        return 0;
    }

    toy_bio_write(caller_owned_bio, "verification succeeded in benign path");
    return 1;
}

int main(void) {
    ToyBIO *out = toy_bio_new("caller-owned-output");

    /*
     * The second argument models the malformed parser condition.
     * In CVE-2026-45447, the relevant malformed condition is an empty
     * ASN.1 SET in SignedData.digestAlgorithms.
     */
    int ok = vulnerable_verify_model(out, 1);

    if (!ok) {
        puts("verification failed, caller still believes it owns out");
    }

    /*
     * Use-after-free:
     * `out` was freed by the vulnerable function, but the caller still
     * treats it as valid.
     */
    toy_bio_write(out, "caller writes after failed verification");

    /*
     * A second free may also occur in real ownership bugs.
     */
    toy_bio_free(out);

    return 0;
}

Compile it with AddressSanitizer in a disposable local environment:

cc -fsanitize=address -g -O0 safe_uaf_model.c -o safe_uaf_model
./safe_uaf_model

A hardened build should report a heap-use-after-free or double-free style error. The exact wording varies by compiler and runtime. The lesson is not the crash message. The lesson is the ownership boundary. When a function accepts a caller-owned object, the caller must be able to rely on the function not freeing it unless the API contract explicitly says ownership is transferred.

In CVE-2026-45447, the object is a BIO passed into OpenSSL’s PKCS#7 verification path. The official advisory says OpenSSL may incorrectly free a caller-owned BIO, and a later use by the calling application results in a use-after-free. That is why application-specific behavior matters so much. One application may fail and immediately exit. Another may continue using the freed BIO in a long-lived process. A third may hit allocator-specific behavior that turns a crash into more serious memory corruption. (OpenSSL Library)

A real validation program should not attempt to crash production systems with malformed PKCS#7 samples. Use patched test environments, vendor-provided regression tests, unit tests around parser behavior, and controlled fuzzing harnesses with sanitizer builds. The production task is to patch and prove reachability, not to weaponize the parser bug.

Finding vulnerable versions is necessary but not enough

Start with version inventory, then move quickly to reachability. On a single host, these commands are useful first checks:

openssl version -a

On Debian or Ubuntu systems:

dpkg -l | grep -E 'openssl|libssl'
apt-cache policy openssl libssl3

On RHEL-family systems:

rpm -qa | grep -E '^openssl|^openssl-libs|^compat-openssl'
rpm -q --changelog openssl | grep -i 'CVE-2026-45447' -A3 -B3

On Alpine:

apk info | grep -E 'openssl|libcrypto|libssl'
apk policy openssl libcrypto3 libssl3

For containers, a software bill of materials is usually better than shelling into running workloads one by one:

syft your-image:tag | grep -i openssl
grype your-image:tag | grep -i 'CVE-2026-45447\|openssl'

For dynamically linked applications, inspect what the binary actually loads:

ldd /path/to/binary | grep -i ssl
ldd /path/to/binary | grep -i crypto

On macOS:

otool -L /path/to/binary | grep -i ssl
otool -L /path/to/binary | grep -i crypto

Static linking and vendor appliances are harder. You may need vendor advisories, binary strings, SBOMs, container layer inspection, or runtime process maps. A quick process-level Linux check can help, although it is not a complete answer:

pidof your-service
cat /proc/<pid>/maps | grep -Ei 'libssl|libcrypto|openssl'

Once you find affected OpenSSL packages or bundled libraries, search for the vulnerable usage pattern. These searches are not perfect, but they give security engineers and maintainers a practical starting point:

grep -R "PKCS7_verify" .
grep -R "SMIME_read_PKCS7" .
grep -R "d2i_PKCS7" .
grep -R "d2i_PKCS7_bio" .
grep -R "PEM_read_bio_PKCS7" .
grep -R "openssl smime" .
grep -R "smime -verify" .
grep -R "application/pkcs7-signature" .
grep -R "application/pkcs7-mime" .
grep -R "\.p7m" .
grep -R "\.p7s" .

The best search result is not just a function name. The best result is a path from untrusted input to parser invocation. For example, an email gateway that extracts every inbound S/MIME attachment and calls PKCS7_verify() is much more urgent than an offline admin-only script that verifies a local trusted file once a month.

Reachability questions that separate real exposure from noise

A reachable CVE-2026-45447 path usually answers “yes” to several of these questions:

Questionמדוע זה חשוב
Can external users, unauthenticated senders, or partners supply PKCS#7 or S/MIME content?The bug needs crafted input
Does the application call OpenSSL PKCS#7 APIs rather than CMS APIs for this processing?The vulnerable path is PKCS#7 API processing
Is PKCS7_verify() called automatically before a human reviews the content?Automated parsing increases exposure
Does the process continue running after verification failure?Continued execution can make use-after-free effects more relevant
Does the process run with high privileges or broad mailbox, file, or network access?Higher privileges increase blast radius
Is the parser in a monolithic long-lived service?Long-lived heap state can make memory corruption more concerning
Is the parser sandboxed, rate limited, and isolated?Isolation can reduce impact while patching proceeds
Can the service be patched independently of the host OpenSSL package?Bundled libraries require special remediation

A version scanner cannot answer these questions alone. Neither can a code search alone. The answer comes from joining SBOM data, package status, application architecture, input paths, and runtime behavior.

For a security team under time pressure, the quickest useful classification is:

כיתהתיאורפעולה
Confirmed reachableAffected OpenSSL plus PKCS7_verify() plus untrusted PKCS#7 or S/MIME signed inputEmergency patch, validate, monitor crashes, consider temporary parser restrictions
Plausibly reachableAffected OpenSSL plus signed-message or certificate import workflow, but API path not yet confirmedTreat as high priority until code or vendor confirms
Package-only exposureAffected OpenSSL installed, but no identified PKCS#7 or S/MIME parser pathPatch in accelerated maintenance, lower incident priority
Not affected by this CVEUses CMS API for this processing or patched OpenSSL, with no legacy PKCS#7 pathRecord evidence and continue normal OpenSSL advisory tracking

That classification is more useful than a flat “vulnerable or not vulnerable” flag. It tells engineering, operations, and leadership where to put scarce remediation time first.

Detection signals, what defenders can actually watch

There is unlikely to be one universal network signature for CVE-2026-45447 that works reliably across environments. The vulnerable input is a structured cryptographic message, often delivered through application-specific channels such as email, file upload, document processing, or partner message exchange. Detection should focus on parser workflows and crash behavior.

Useful signals include:

אותPossible meaningCaveat
Sudden crashes in S/MIME gateway processesMalformed signed-message parsing may be triggering memory corruptionCould also be unrelated mail parsing bug
SIGSEGV, SIGABRT, allocator corruption, or double-free messagesMemory safety failure in parser or surrounding codeNeeds process and stack context
Core dumps from services that handle .p7m או .p7s קבציםPossible crash around PKCS#7 parsingCore dump handling may be disabled
Container restart spikes after inbound mail burstsAutomated parser crash loopNeeds correlation with input type
Logs mentioning PKCS#7, S/MIME, signature verification, or BIO errors before crashStronger parser-path clueLogging may be sparse
ASAN reports in staging or fuzzing around PKCS7_verify()High-value validation evidenceUsually unavailable in production builds

Linux triage commands can help responders quickly identify crash patterns:

journalctl --since "24 hours ago" | grep -Ei 'openssl|pkcs7|s/mime|smime|bio|segfault|aborted|double free|corruption'

coredumpctl list | grep -Ei 'mail|smime|pkcs|openssl|gateway|scanner'

coredumpctl info <PID_OR_COREDUMP_ID>

For Kubernetes environments:

kubectl get pods -A | grep -Ei 'crashloop|error'

kubectl logs -n <namespace> <pod> --previous | grep -Ei 'openssl|pkcs7|s/mime|smime|segfault|aborted|corruption'

For mail and document-processing systems, content-level telemetry is useful if privacy requirements allow it. You do not need to log message bodies. You can log metadata such as MIME type, attachment extension, parser path, verification result, source trust level, and failure reason.

A minimal application log event might include:

{
  "event": "signed_message_verification",
  "parser": "openssl_pkcs7",
  "api": "PKCS7_verify",
  "input_type": "application/pkcs7-signature",
  "source_trust": "external_sender",
  "result": "verification_failed",
  "service": "mail-gateway-worker",
  "openssl_runtime": "3.0.20"
}

That kind of log is useful beyond this CVE. It gives defenders a way to answer parser-reachability questions quickly during future OpenSSL, S/MIME, CMS, ASN.1, certificate, and document-parser advisories.

A simple Sigma-style hunting rule can help find command-line OpenSSL usage in server workflows:

title: OpenSSL S/MIME or PKCS7 Verification in Server Workflow
id: 1f7a4125-cve-2026-45447-hunt
status: experimental
description: Detects OpenSSL command-line S/MIME or PKCS7 verification activity that may indicate a parser workflow requiring CVE-2026-45447 review.
logsource:
  product: linux
  category: process_creation
detection:
  selection_image:
    Image|endswith:
      - "/openssl"
  selection_args:
    CommandLine|contains:
      - " smime "
      - " -verify"
      - " pkcs7 "
      - " cms "
  condition: selection_image and selection_args
fields:
  - Image
  - CommandLine
  - ParentImage
  - User
  - CurrentDirectory
falsepositives:
  - Administrative certificate operations
  - CI signing verification jobs
  - Mail-processing automation
level: medium
tags:
  - cve.2026.45447
  - attack.t1204

This rule does not detect library-linked parser abuse inside a custom application. It is only a hunting aid. The stronger control is asset-aware instrumentation around signed-message parsing.

Patch strategy for production estates

The upstream fix is simple: upgrade to the fixed OpenSSL release for your branch. The production reality is not simple. OpenSSL may appear in operating system packages, containers, language runtimes, application bundles, static binaries, security appliances, firmware images, and vendor-managed cloud services.

A practical patch sequence looks like this:

  1. Identify all affected OpenSSL packages and bundled libraries.
  2. Prioritize systems that parse untrusted PKCS#7 or S/MIME signed messages.
  3. Apply vendor patches or upgrade to the fixed upstream branch target.
  4. Restart services that dynamically link to updated OpenSSL libraries.
  5. Rebuild and redeploy containers that carried vulnerable library layers.
  6. Confirm runtime linkage after deployment, not only package installation.
  7. Validate signed-message workflows in staging with benign samples.
  8. Monitor parser crashes and verification failures after rollout.

Service restart matters. Updating a package on disk does not always update a running process. Long-lived daemons may continue using the old mapped library until restarted. Containers need rebuilt base layers and redeployment. Appliances may require firmware or vendor hotfixes.

A useful post-patch Linux check is:

# Show the OpenSSL package version
openssl version -a

# Show whether a running process still maps old libssl or libcrypto objects
cat /proc/<pid>/maps | grep -Ei 'libssl|libcrypto'

# On systemd systems, list services that may need restart after library updates
needrestart -r l

For containers:

# Confirm image SBOM after rebuild
syft your-fixed-image:tag | grep -i openssl

# Confirm deployed pod image digests
kubectl get pods -n <namespace> -o jsonpath='{range .items[*]}{.metadata.name}{" "}{.status.containerStatuses[*].imageID}{"\n"}{end}'

For vendors, ask for two statements, not one. “Are you affected by CVE-2026-45447?” is useful but often too broad. Better questions are:

  • Do you ship or statically link an affected OpenSSL branch?
  • Does your product call OpenSSL PKCS#7 APIs, including PKCS7_verify(), on untrusted PKCS#7 or S/MIME signed messages?
  • What fixed version or backported patch is included in your advisory?
  • Is a service restart, firmware update, or configuration change required?
  • Are there temporary controls for disabling external S/MIME or PKCS#7 parsing until patched?

Those questions make it harder for a vendor to answer with a vague “we use OpenSSL but are investigating” statement.

Temporary controls when immediate patching is blocked

Temporary controls are not a replacement for patching. They can reduce exposure while patches are tested, maintenance windows are negotiated, or vendor fixes are pending.

The most effective temporary control is to reduce untrusted parser input. Depending on the system, that may mean disabling external S/MIME verification, blocking PKCS#7 upload features, limiting signed-document validation to authenticated users, isolating partner feeds, or routing high-risk files to a sandboxed parser service.

Potential compensating controls include:

בקרהWhen it helpsמגבלות
Disable external S/MIME verification temporarilyMail gateway or secure email system can operate without automatic signature verificationMay affect business workflows and user trust indicators
Restrict .p7m, .p7s, and PKCS#7 MIME uploadsUpload or document-verification portalsFile extensions and MIME types can be spoofed
Require authentication before signed-message parsingPublic upload endpointsDoes not remove risk from compromised accounts or partners
Sandbox parser workersHigh-risk document or email processingReduces blast radius but does not fix the bug
Run parser as low-privilege userLong-running servicesStill vulnerable to crash or local data exposure through process privileges
Rate limit parser requestsPublic or partner-facing servicesDoes not stop a single malformed file from crashing a worker
Queue and quarantine unusual signed objectsMail and document workflowsRequires operational review capacity
Add crash-loop alertsKubernetes or service-managed parser workersDetects symptoms, not exploitation

A strong temporary posture combines several of these. For example, a mail gateway might disable automatic S/MIME signature verification for external unauthenticated senders, process signed objects in isolated workers, rate limit suspicious senders, and monitor worker crashes until the patched build is deployed.

Do not rely on extension blocking alone. PKCS#7 or S/MIME content can appear under different names, encodings, and MIME wrappers. Content-aware parsing controls are better than filename controls, but even they are not a substitute for patching.

Code-level hardening for teams that maintain PKCS#7 verification paths

If your codebase directly calls OpenSSL PKCS#7 APIs, the fix is not only “bump OpenSSL.” The advisory should trigger a short audit of parser ownership, error handling, and input boundaries.

A typical legacy verification flow might look like this:

BIO *in = BIO_new_file(path, "rb");
BIO *out = BIO_new(BIO_s_mem());
PKCS7 *p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);

int ok = PKCS7_verify(p7, certs, store, detached_content, out, flags);

/* Caller assumes it still owns all BIOs it created. */
BIO_free(out);
BIO_free(in);
PKCS7_free(p7);

On patched OpenSSL, the vulnerable malformed input should not cause OpenSSL to free a caller-owned BIO incorrectly. But the surrounding code still deserves review:

  • Are all parser inputs treated as untrusted unless proven otherwise?
  • Is signature verification isolated from privileged application state?
  • Are BIOs freed exactly once on all success and failure paths?
  • Are detached-content paths tested?
  • Are verification failures handled as data failures rather than process failures?
  • Are parser workers sandboxed?
  • Are certificates from the message treated as untrusted chain-building material unless explicitly trusted?
  • Are legacy PKCS#7 code paths still needed, or can they be replaced after testing?

OpenSSL’s PKCS7_verify() documentation says internal certificates in the message may be used as untrusted CAs unless flags such as PKCS7_NOCHAIN are set, and that PKCS7_NOINTERN can be used when the signer certificate must come from a supplied certificate set rather than the message itself. Those flags are not CVE-2026-45447 mitigations by themselves, but they are relevant to a broader review of PKCS#7 verification semantics. (OpenSSL Documentation)

The safest pattern is to separate parser hardening from trust-policy hardening. Patching OpenSSL fixes the memory safety bug. Reviewing flags, trust stores, signer constraints, and detached-content handling reduces the chance that the signed-message workflow accepts content it should reject.

Related OpenSSL CVEs that help frame the risk

CVE-2026-45447 appeared in a large OpenSSL security advisory that also included several CMS, ASN.1, QUIC, OCSP, CMP, and cipher-mode issues. The related CVEs are not interchangeable, but they help defenders understand a pattern: cryptographic libraries are not only TLS handshakes. They also parse complex container formats, certificate structures, message formats, and protocol-specific data.

CVEWhy it is relevantExploit conditionMain riskתיקון
CVE-2026-45447The focus of this article, heap use-after-free in PKCS7_verify()Attacker-supplied PKCS#7 or S/MIME signed message with empty digestAlgorithms SET reaches OpenSSL PKCS#7 APICrash, heap corruption, potentially RCE in some contextsUpgrade to fixed OpenSSL branch version
CVE-2026-34182Same June 2026 advisory, CMS AuthEnvelopedData validation problemAttacker supplies crafted CMS data to affected CMS processingMessage forgery or integrity validation bypass scenariosUpgrade to fixed OpenSSL branch version
CVE-2026-45445Same advisory, AES-OCB IV ignored on one-shot EVP_Cipher() שבילApplication uses AES-OCB through lower-level one-shot EVP_Cipher() interfaceNonce reuse, confidentiality loss, potential universal forgery in the described pathUpgrade and avoid the discouraged one-shot path
CVE-2026-34180Same advisory, ASN.1 content parsing heap over-readApplication passes attacker-supplied DER ASN.1 data into affected decoding functionsCrash or reading beyond input buffer in certain conditionsUpgrade and reduce untrusted ASN.1 parser exposure
CVE-2025-15467Earlier OpenSSL message-parsing issue involving CMS AuthEnvelopedDataApplication parses untrusted CMS or PKCS#7-family content through affected pathStack corruption, denial of service, potential RCE depending on contextUpgrade affected OpenSSL releases and validate parser reachability

OpenSSL’s 3.0.21 release notes list CVE-2026-45447 along with CVE-2026-34182, CVE-2026-45445, CVE-2026-9076, CVE-2026-34180, CVE-2026-42766, CVE-2026-42770, and CVE-2026-45446. That cluster matters because it pushes teams to look beyond TLS and examine cryptographic message parsing, ASN.1 processing, and application-specific OpenSSL usage. (OpenSSL Library)

Penligent previously analyzed CVE-2025-15467 as an OpenSSL CMS and PKCS#7 parser exposure problem, emphasizing the same operational distinction that matters here: package presence is not the same as parser reachability. That older OpenSSL case is useful background for teams building repeatable triage processes for message-parsing vulnerabilities rather than treating every crypto-library CVE as a flat package-update event. (Penligent)

Why AI-assisted validation belongs in the workflow, but not in the headline

For CVE-2026-45447, the hard work is not generating a dangerous payload. The hard work is mapping the environment: where OpenSSL is installed, where it is bundled, which services parse signed messages, which APIs are called, which endpoints or mail flows can feed attacker-controlled PKCS#7 or S/MIME content, which systems are patched, and which findings have proof rather than assumptions.

That is a good fit for assisted validation workflows when they remain evidence-driven. A tool can help correlate asset discovery, code search, endpoint behavior, runtime fingerprints, test notes, and retest evidence. It should not replace human judgment about exploitability, parser reachability, or safe testing boundaries. Penligent’s public positioning is an AI-powered penetration testing workflow focused on verified findings, evidence, reproduction steps, and remediation guidance, which is the right kind of framing for this class of work when used only on authorized systems. (Penligent)

For security teams, the valuable output is not “OpenSSL found.” It is a short, defensible statement such as: “Service X uses OpenSSL 3.0.20, accepts unauthenticated S/MIME signed mail, calls the PKCS#7 verification path, was upgraded to a fixed package, and was retested with benign signed messages after deployment.” That kind of evidence helps engineering teams act and helps auditors understand why one vulnerable package entry was urgent while another was handled in a normal maintenance window.

Common mistakes during CVE-2026-45447 response

The first mistake is treating CVE-2026-45447 as a generic TLS crisis. The vulnerability is in PKCS#7 signed-message verification, not ordinary TLS negotiation. If your only exposure is a TLS listener that never parses PKCS#7 or S/MIME signed messages, the specific reachable risk is lower, although patching still matters.

The second mistake is treating “CMS APIs are not affected” as a reason to ignore the June 2026 OpenSSL update. CMS APIs are not affected by this specific PKCS#7 use-after-free, but the same advisory includes other CMS issues. Security teams still need to apply relevant OpenSSL fixes and review downstream vendor guidance. (OpenSSL Library)

The third mistake is relying only on openssl version in a shell. Many real exposures live in containers, statically linked binaries, bundled libraries, appliances, and language runtimes. A host-level version check can miss the copy that a service actually loads.

The fourth mistake is testing production by throwing malformed cryptographic blobs at it. That is unnecessary and risky. Use controlled staging environments, patched regression tests, and sanitizer builds. Production validation should focus on version, reachability, patch deployment, service restart, and safe benign workflow testing.

The fifth mistake is ignoring parser privileges. A crash in a sandboxed worker and heap corruption in a privileged monolith are not the same operational risk. Prioritization should account for trust boundary, privilege, isolation, and availability impact.

The sixth mistake is assuming no public exploit means no urgency. OpenSSL’s own advisory describes a memory safety issue with potential remote code execution in some contexts. Public exploit maturity is only one factor. Reachable parser memory corruption in exposed infrastructure deserves focused remediation even before widespread exploitation is observed. (OpenSSL Library)

A practical response plan for security teams

CVE-2026-45447 Exposure Triage Workflow

A clear response plan can be executed without panic.

First, identify affected OpenSSL versions across operating systems, containers, appliances, runtime bundles, and custom builds. Use package managers, SBOM tooling, vendor advisories, binary inspection, and runtime maps. Record the fixed package or upstream target for each branch.

Second, identify PKCS#7 and S/MIME signed-message workflows. Search code and configuration for PKCS7_verify(), SMIME_read_PKCS7, PKCS#7 parsing helpers, command-line openssl smime -verify, .p7m, .p7s, and PKCS#7 MIME types. Interview teams responsible for mail, PKI, document signing, partner file exchange, and security tooling.

Third, classify systems by reachability. External unauthenticated parsing goes first. Partner-reachable parsing goes next. Internal admin-only parsing follows. Package-only findings with no parser path still need patching, but they should not block emergency work on confirmed reachable systems.

Fourth, patch and restart. Apply vendor packages or upstream fixed versions, restart dynamically linked services, rebuild containers, update appliances, and confirm runtime linkage. Do not assume that package installation updated running processes.

Fifth, validate safely. Use benign signed messages and known-good workflows to ensure the patched service still verifies legitimate content. In staging, use sanitizer builds or vendor-provided regression tests if available. Do not introduce weaponized malformed PKCS#7 payloads into production.

Sixth, monitor. Watch for crash loops, parser failures, S/MIME verification errors, and abnormal inbound signed-message patterns during and after rollout. Keep temporary parser restrictions in place until the riskiest systems are patched.

Seventh, preserve evidence. Store the version before and after remediation, the service restart proof, the parser reachability assessment, and the retest result. This evidence is valuable for incident review, compliance, and future OpenSSL advisory response.

Example internal advisory

A strong internal advisory should be short enough for engineers to act on but precise enough to avoid false urgency.

CVE-2026-45447 is a High-severity OpenSSL heap use-after-free in PKCS7_verify().
It is triggered when an application processes a crafted PKCS#7 or S/MIME signed
message where SignedData.digestAlgorithms is present as an empty ASN.1 SET.
OpenSSL may incorrectly free a caller-owned BIO, and later caller use can lead
to crash, heap corruption, or potentially remote code execution in some contexts.

Affected upstream branches:
- 4.0 before 4.0.1
- 3.6 before 3.6.3
- 3.5 before 3.5.7
- 3.4 before 3.4.6
- 3.0 before 3.0.21
- 1.1.1 before 1.1.1zh for premium support customers
- 1.0.2 before 1.0.2zq for premium support customers

Priority:
P1: systems that parse untrusted PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs
P2: partner-facing or internal tools that parse signed cryptographic containers
P3: affected OpenSSL package presence with no identified PKCS#7 or S/MIME parser path

Do not test production with malformed PKCS#7 payloads. Patch, restart, confirm
runtime linkage, and validate with benign signed-message workflows.

That message avoids both extremes. It does not minimize the issue. It also does not imply that every OpenSSL-linked TLS process is equally exploitable.

שאלות נפוצות

Is CVE-2026-45447 a TLS vulnerability?

  • No, not in the usual sense. The vulnerable function is PKCS7_verify(), which verifies PKCS#7 signedData structures.
  • A normal HTTPS service using OpenSSL only for TLS termination is not the main exposure path.
  • The higher-risk path is an application that processes attacker-controlled PKCS#7 or S/MIME signed messages through OpenSSL PKCS#7 APIs.
  • Patch OpenSSL anyway, but prioritize systems by parser reachability, not by TLS presence alone.

What systems are most likely to be exposed?

  • S/MIME-capable mail gateways and secure email appliances.
  • Services that accept .p7m, .p7s, application/pkcs7-signature, או application/pkcs7-mime content.
  • Document-signing and signature-verification workflows.
  • PKI portals, certificate import tools, and partner cryptographic-message exchange systems.
  • Security products or malware-analysis systems that parse hostile signed containers.
  • CI/CD or software-update systems that verify signed PKCS#7 artifacts from semi-trusted sources.

Does using OpenSSL automatically make a service vulnerable?

  • No. Affected OpenSSL presence is required for the upstream vulnerability, but exposure depends on whether the service reaches the vulnerable PKCS#7 verification path.
  • A host may have a vulnerable OpenSSL package but never parse PKCS#7 or S/MIME signed messages.
  • Another host may look clean at the OS package level but run a statically linked or bundled vulnerable copy inside an application.
  • The correct workflow is version inventory plus parser-path validation.

Are CMS APIs affected by CVE-2026-45447?

  • OpenSSL states that applications using CMS APIs for this processing are not affected by CVE-2026-45447.
  • That statement applies to this specific PKCS#7 use-after-free.
  • It does not mean CMS-related OpenSSL code had no other 2026 issues. The same OpenSSL advisory includes separate CMS vulnerabilities.
  • Teams should still patch OpenSSL and review all CMS, S/MIME, and PKCS#7 workflows.

Can CVE-2026-45447 be exploited for remote code execution?

  • OpenSSL states that the issue may result in crash, heap corruption, or potentially remote code execution in some application contexts.
  • Reliable RCE depends on allocator behavior, application-specific BIO usage, process lifetime, hardening, sandboxing, and attacker control over heap state.
  • Defenders should not assume every exposed parser yields reliable RCE.
  • Defenders also should not dismiss the issue as only a crash, because reachable heap corruption in exposed parser code is serious.

What should I patch first?

  • Patch externally reachable systems that process untrusted PKCS#7 or S/MIME signed messages.
  • Prioritize automated mail gateways, document-verification services, public upload endpoints, PKI portals, and security appliances.
  • Rebuild and redeploy containers, not just hosts.
  • Restart dynamically linked services after package updates.
  • Ask vendors whether they call OpenSSL PKCS#7 APIs on untrusted signed-message input.

How can I validate exposure without crashing production?

  • Search code and configurations for PKCS7_verify, SMIME_read_PKCS7, PKCS#7 MIME types, .p7m, .p7s, and command-line openssl smime -verify.
  • Confirm the OpenSSL version actually loaded by the running service.
  • Use benign signed messages to verify normal behavior after patching.
  • Use staging, sanitizer builds, fuzzing harnesses, or vendor regression tests for malformed-input testing.
  • Do not send malformed PKCS#7 samples to production systems as a validation shortcut.

Closing assessment

CVE-2026-45447 should be handled as a serious OpenSSL message-parsing vulnerability, not as a vague “OpenSSL is installed everywhere” panic. The official facts are specific: a crafted PKCS#7 or S/MIME signed message with an empty SignedData.digestAlgorithms ASN.1 SET can cause OpenSSL’s PKCS7_verify() path to incorrectly free a caller-owned BIO, leading to use-after-free when the caller later uses that BIO. The upstream fixes are clear. The affected branches are clear. The API boundary is clear. (OpenSSL Library)

The hard part is environmental. Find the systems that actually parse untrusted PKCS#7 or S/MIME signed messages. Patch those first. Confirm runtime linkage. Retest safely. Keep evidence. A flat package inventory tells you where OpenSSL exists. A reachability assessment tells you where CVE-2026-45447 can become a real incident.

שתף את הפוסט:
פוסטים קשורים
he_ILHebrew