CVE-2026-22796
- Source
- https://cve.org/CVERecord?id=CVE-2026-22796
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22796.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-22796
- Downstream
- Related
- Published
- 2026-01-27T16:16:35.543Z
- Modified
- 2026-03-20T12:48:47.955253Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- [none]
- Details
-
Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data.
Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7digestfrom_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.
The function PKCS7digestfromattributes() accesses the message digest attribute value without validating its type. When the type is not VASN1OCTETSTRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.
Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity.
The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
- References
-
- https://openssl-library.org/news/secadv/20260127.txt
- https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
- https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
- https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
- https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
- https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
Affected packages
Git / github.com/openssl/openssl
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openssl/openssl
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedFixedFixedFixedFixedFixed
- Database specific
{ "versions": [ { "introduced": "1.0.2" }, { "fixed": "1.0.2zn" }, { "introduced": "1.1.1" }, { "fixed": "1.1.1ze" }, { "introduced": "3.0.0" }, { "fixed": "3.0.19" }, { "introduced": "3.3.0" }, { "fixed": "3.3.6" }, { "introduced": "3.4.0" }, { "fixed": "3.4.4" }, { "introduced": "3.5.0" }, { "fixed": "3.5.5" }, { "introduced": "3.6.0" }, { "fixed": "3.6.1" } ] }
Affected versions
3.*
3.0-POST-CLANG-FORMAT-WEBKIT
3.0-PRE-CLANG-FORMAT-WEBKIT
3.3-POST-CLANG-FORMAT-WEBKIT
3.3-PRE-CLANG-FORMAT-WEBKIT
3.4-POST-CLANG-FORMAT-WEBKIT
3.4-PRE-CLANG-FORMAT-WEBKIT
3.5-POST-CLANG-FORMAT-WEBKIT
3.5-PRE-CLANG-FORMAT-WEBKIT
3.6-POST-CLANG-FORMAT-WEBKIT
3.6-PRE-CLANG-FORMAT-WEBKIT
Other
OpenSSL_1_0_2u
OpenSSL_1_1_1w
openssl-3.*
openssl-3.0.0
openssl-3.0.1
openssl-3.0.10
openssl-3.0.11
openssl-3.0.12
openssl-3.0.13
openssl-3.0.14
openssl-3.0.15
openssl-3.0.16
openssl-3.0.17
openssl-3.0.18
openssl-3.0.2
openssl-3.0.3
openssl-3.0.4
openssl-3.0.5
openssl-3.0.6
openssl-3.0.7
openssl-3.0.8
openssl-3.0.9
openssl-3.3.0
openssl-3.3.1
openssl-3.3.2
openssl-3.3.3
openssl-3.3.4
openssl-3.3.5
openssl-3.4.0
openssl-3.4.1
openssl-3.4.2
openssl-3.4.3
openssl-3.5.0
openssl-3.5.1
openssl-3.5.2
openssl-3.5.3
openssl-3.5.4
openssl-3.6.0
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22796.json"
vanir_signatures
[
{
"deprecated": false,
"target": {
"file": "apps/s_client.c"
},
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12",
"signature_version": "v1",
"id": "CVE-2026-22796-09b46f75",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"function": "s_client_main",
"file": "apps/s_client.c"
},
"digest": {
"length": 48739.0,
"function_hash": "199855863195958881625652055964543723547"
},
"source": "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2",
"signature_version": "v1",
"id": "CVE-2026-22796-0b6c52aa",
"signature_type": "Function"
},
{
"deprecated": false,
"target": {
"function": "s_client_main",
"file": "apps/s_client.c"
},
"digest": {
"length": 46133.0,
"function_hash": "89525939813841793658939652477796738403"
},
"source": "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49",
"signature_version": "v1",
"id": "CVE-2026-22796-135694a1",
"signature_type": "Function"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
},
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49",
"signature_version": "v1",
"id": "CVE-2026-22796-1be6bf98",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
},
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12",
"signature_version": "v1",
"id": "CVE-2026-22796-23f9a2c6",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
},
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e",
"signature_version": "v1",
"id": "CVE-2026-22796-276a6f9a",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"function": "s_client_main",
"file": "apps/s_client.c"
},
"digest": {
"length": 48972.0,
"function_hash": "137663506870388774154075225648218501066"
},
"source": "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4",
"signature_version": "v1",
"id": "CVE-2026-22796-30c3a1ca",
"signature_type": "Function"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
},
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2",
"signature_version": "v1",
"id": "CVE-2026-22796-3311f579",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "apps/s_client.c"
},
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e",
"signature_version": "v1",
"id": "CVE-2026-22796-3ae22c42",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "apps/s_client.c"
},
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4",
"signature_version": "v1",
"id": "CVE-2026-22796-564c849c",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"function": "s_client_main",
"file": "apps/s_client.c"
},
"digest": {
"length": 48972.0,
"function_hash": "137663506870388774154075225648218501066"
},
"source": "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12",
"signature_version": "v1",
"id": "CVE-2026-22796-5e98e146",
"signature_type": "Function"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
},
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e",
"signature_version": "v1",
"id": "CVE-2026-22796-68a85aee",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs12/p12_kiss.c"
},
"digest": {
"line_hashes": [
"60877912797987591188065755797983277280",
"251788162060282103686621368991676932733",
"40400787577453108895692359634937979252",
"331144855365863902029291104116453962179",
"88149325502830834177707272741538263698",
"104081780024832426122495621692374432985",
"320309570822310705485919480150939913446"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4",
"signature_version": "v1",
"id": "CVE-2026-22796-86099db0",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "apps/s_client.c"
},
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49",
"signature_version": "v1",
"id": "CVE-2026-22796-8f8ff17b",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "apps/s_client.c"
},
"digest": {
"line_hashes": [
"71476756686855470599937379985047700091",
"166895001063044813957862891151407698928",
"278712318572386455087903167506773264569",
"62751701112678304274354497278072631412",
"305528711857785099232457614306160091925"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2",
"signature_version": "v1",
"id": "CVE-2026-22796-991d33fa",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
},
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12",
"signature_version": "v1",
"id": "CVE-2026-22796-af52563c",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "include/openssl/opensslv.h"
},
"digest": {
"line_hashes": [
"28170854778703993674264004058177114599",
"73132526844288570625317440636111911761",
"177405411499435185068645597737938634778",
"224809958623850711330610094965797758930",
"295554444428855106393106961197201359586"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86",
"signature_version": "v1",
"id": "CVE-2026-22796-c377fa22",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
},
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49",
"signature_version": "v1",
"id": "CVE-2026-22796-d52a9a4d",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
},
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4",
"signature_version": "v1",
"id": "CVE-2026-22796-d6153be7",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "crypto/opensslv.h"
},
"digest": {
"line_hashes": [
"251633914150035957322733061977107206211",
"338514574181828579838011565939158652696",
"76638288692106140328510055542557597351",
"142922657400765574308962710386922248045",
"71649992455794854055653842592139575350",
"65527166711110472566013424527579064967",
"253196866009476977787139000804413898733",
"172177136897997206866313011107384691461"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8",
"signature_version": "v1",
"id": "CVE-2026-22796-e051451f",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"file": "crypto/pkcs7/pk7_doit.c"
},
"digest": {
"line_hashes": [
"246451924573170111765630526962404097757",
"196617962610438348365718973266564583117",
"284857352021339567897482824767365180593",
"273428943801490059425881941273658322840"
],
"threshold": 0.9
},
"source": "https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2",
"signature_version": "v1",
"id": "CVE-2026-22796-f144311b",
"signature_type": "Line"
},
{
"deprecated": false,
"target": {
"function": "s_client_main",
"file": "apps/s_client.c"
},
"digest": {
"length": 48969.0,
"function_hash": "127898544240712534256163966369522564864"
},
"source": "https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e",
"signature_version": "v1",
"id": "CVE-2026-22796-fbed4a44",
"signature_type": "Function"
}
]