ALPINE-CVE-2026-34181
- Source
- https://security.alpinelinux.org/vuln/CVE-2026-34181
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2026-34181.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/ALPINE-CVE-2026-34181
- Upstream
- Published
- 2026-06-09T17:17:04.740Z
- Modified
- 2026-06-10T09:30:04.538669719Z
- Summary
- [none]
- Details
-
Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery.
Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability.
If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker.
The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
- References
Affected packages
Alpine:v3.22 / openssl
Package
- Name
- openssl
- Purl
- pkg:apk/alpine/openssl?arch=source
Alpine:v3.23 / openssl
Package
- Name
- openssl
- Purl
- pkg:apk/alpine/openssl?arch=source