CVE-2026-22795
- Source
- https://cve.org/CVERecord?id=CVE-2026-22795
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22795.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-22795
- Downstream
- Related
- Published
- 2026-01-27T16:16:35.430Z
- Modified
- 2026-03-20T12:48:43.736595Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file.
Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service.
A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read.
The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.
OpenSSL 1.0.2 is not affected by this issue.
- References
-
- https://openssl-library.org/news/secadv/20260127.txt
- https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
- https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
- https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
- https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
- https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
Affected packages
Git / github.com/openssl/openssl
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openssl/openssl
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedFixedFixedFixedFixedFixed
- Database specific
{ "versions": [ { "introduced": "1.1.1" }, { "fixed": "1.1.1ze" }, { "introduced": "3.0.0" }, { "fixed": "3.0.19" }, { "introduced": "3.3.0" }, { "fixed": "3.3.6" }, { "introduced": "3.4.0" }, { "fixed": "3.4.4" }, { "introduced": "3.5.0" }, { "fixed": "3.5.5" }, { "introduced": "3.6.0" }, { "fixed": "3.6.1" } ] }
Affected versions
3.*
3.0-POST-CLANG-FORMAT-WEBKIT
3.0-PRE-CLANG-FORMAT-WEBKIT
3.3-POST-CLANG-FORMAT-WEBKIT
3.3-PRE-CLANG-FORMAT-WEBKIT
3.4-POST-CLANG-FORMAT-WEBKIT
3.4-PRE-CLANG-FORMAT-WEBKIT
3.5-POST-CLANG-FORMAT-WEBKIT
3.5-PRE-CLANG-FORMAT-WEBKIT
3.6-POST-CLANG-FORMAT-WEBKIT
3.6-PRE-CLANG-FORMAT-WEBKIT
Other
OpenSSL_1_1_1w
openssl-3.*
openssl-3.0.0
openssl-3.0.1
openssl-3.0.10
openssl-3.0.11
openssl-3.0.12
openssl-3.0.13
openssl-3.0.14
openssl-3.0.15
openssl-3.0.16
openssl-3.0.17
openssl-3.0.18
openssl-3.0.2
openssl-3.0.3
openssl-3.0.4
openssl-3.0.5
openssl-3.0.6
openssl-3.0.7
openssl-3.0.8
openssl-3.0.9
openssl-3.3.0
openssl-3.3.1
openssl-3.3.2
openssl-3.3.3
openssl-3.3.4
openssl-3.3.5
openssl-3.4.0
openssl-3.4.1
openssl-3.4.2
openssl-3.4.3
openssl-3.5.0
openssl-3.5.1
openssl-3.5.2
openssl-3.5.3
openssl-3.5.4
openssl-3.6.0
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22795.json"
vanir_signatures
[
{
"source": "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12",
"id": "CVE-2026-22795-09b46f75",
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2",
"id": "CVE-2026-22795-0b6c52aa",
"digest": {
"length": 48739.0,
"function_hash": "199855863195958881625652055964543723547"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c",
"function": "s_client_main"
}
},
{
"source": "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49",
"id": "CVE-2026-22795-135694a1",
"digest": {
"length": 46133.0,
"function_hash": "89525939813841793658939652477796738403"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c",
"function": "s_client_main"
}
},
{
"source": "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49",
"id": "CVE-2026-22795-1be6bf98",
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12",
"id": "CVE-2026-22795-23f9a2c6",
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e",
"id": "CVE-2026-22795-276a6f9a",
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4",
"id": "CVE-2026-22795-30c3a1ca",
"digest": {
"length": 48972.0,
"function_hash": "137663506870388774154075225648218501066"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c",
"function": "s_client_main"
}
},
{
"source": "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2",
"id": "CVE-2026-22795-3311f579",
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e",
"id": "CVE-2026-22795-3ae22c42",
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4",
"id": "CVE-2026-22795-564c849c",
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12",
"id": "CVE-2026-22795-5e98e146",
"digest": {
"length": 48972.0,
"function_hash": "137663506870388774154075225648218501066"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c",
"function": "s_client_main"
}
},
{
"source": "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e",
"id": "CVE-2026-22795-68a85aee",
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4",
"id": "CVE-2026-22795-86099db0",
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49",
"id": "CVE-2026-22795-8f8ff17b",
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2",
"id": "CVE-2026-22795-991d33fa",
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12",
"id": "CVE-2026-22795-af52563c",
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86",
"id": "CVE-2026-22795-c377fa22",
"digest": {
"line_hashes": [
"28170854778703993674264004058177114599",
"73132526844288570625317440636111911761",
"177405411499435185068645597737938634778",
"224809958623850711330610094965797758930",
"295554444428855106393106961197201359586"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "include/openssl/opensslv.h"
}
},
{
"source": "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49",
"id": "CVE-2026-22795-d52a9a4d",
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4",
"id": "CVE-2026-22795-d6153be7",
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2",
"id": "CVE-2026-22795-f144311b",
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
}
},
{
"source": "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e",
"id": "CVE-2026-22795-fbed4a44",
"digest": {
"length": 48969.0,
"function_hash": "127898544240712534256163966369522564864"
},
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "apps/s_client.c",
"function": "s_client_main"
}
}
]