CVE-2026-45447

When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition.

In the common case this occurs when the application later calls BIOfree() on the BIO originally passed to PKCS7verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution.

Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45447.json",
    "cwe_ids": [
        "CWE-416"
    ],
    "cna_assigner": "openssl"
}

References

Affected packages

Git / github.com/openssl/openssl

Affected ranges

Type

GIT

Repo

https://github.com/openssl/openssl

Events

Introduced

11b7b6ea3b65a584e1d31408ed1bdb139465cffd

Fixed

1e963a8680ec78ad2072792c7a1a71f3c530bd2e

Introduced

7b371d80d959ec9ab4139d09d78e83c090de9779

Fixed

aae016bfd52fcad2bc9657c2c782cfdf73b1ed5f

Introduced

636dfadc70ce26f2473870570bfd9ec352806b1d

Fixed

8cf17aaeb4599f8af87fefd810b5b5fee90fe69e

Introduced

98acb6b02839c609ef5b837794e08d906d965335

Fixed

c5ea1cc227fd60afae8ac4b9438690bbe4888f79

Introduced

89cd17a031e022211684eb7eb41190cf1910f9fa

Fixed

51ea949dc1436e865935b47874b21a3bb31a102e

Introduced

e04bd3433fd84e1861bf258ea37928d9845e6a86

Fixed

e04bd3433fd84e1861bf258ea37928d9845e6a86

Introduced

e818b74be2170fbe957a07b0da4401c2b694b3b8

Fixed

e818b74be2170fbe957a07b0da4401c2b694b3b8

Database specific

{
    "extracted_events": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.1"
        },
        {
            "introduced": "3.6.0"
        },
        {
            "fixed": "3.6.3"
        },
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.7"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.6"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.21"
        },
        {
            "introduced": "1.1.1"
        },
        {
            "fixed": "1.1.1zh"
        },
        {
            "introduced": "1.0.2"
        },
        {
            "fixed": "1.0.2zq"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

3.*

3.0-POST-CLANG-FORMAT-WEBKIT

3.0-PRE-CLANG-FORMAT-WEBKIT

3.4-POST-CLANG-FORMAT-WEBKIT

3.4-PRE-CLANG-FORMAT-WEBKIT

3.5-POST-CLANG-FORMAT-WEBKIT

3.5-PRE-CLANG-FORMAT-WEBKIT

3.6-POST-CLANG-FORMAT-WEBKIT

3.6-PRE-CLANG-FORMAT-WEBKIT

openssl-3.*

openssl-3.0.0

openssl-3.0.1

openssl-3.0.10

openssl-3.0.11

openssl-3.0.12

openssl-3.0.13

openssl-3.0.14

openssl-3.0.15

openssl-3.0.16

openssl-3.0.17

openssl-3.0.18

openssl-3.0.19

openssl-3.0.2

openssl-3.0.20

openssl-3.0.3

openssl-3.0.4

openssl-3.0.5

openssl-3.0.6

openssl-3.0.7

openssl-3.0.8

openssl-3.0.9

openssl-3.4.0

openssl-3.4.1

openssl-3.4.2

openssl-3.4.3

openssl-3.4.4

openssl-3.4.5

openssl-3.5.0

openssl-3.5.1

openssl-3.5.2

openssl-3.5.3

openssl-3.5.4

openssl-3.5.5

openssl-3.5.6

openssl-3.6.0

openssl-3.6.1

openssl-3.6.2

openssl-4.*

openssl-4.0.0

Database specific

vanir_signatures

[
    {
        "digest": {
            "line_hashes": [
                "28170854778703993674264004058177114599",
                "73132526844288570625317440636111911761",
                "177405411499435185068645597737938634778",
                "224809958623850711330610094965797758930",
                "295554444428855106393106961197201359586"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2026-45447-c377fa22",
        "signature_version": "v1",
        "target": {
            "file": "include/openssl/opensslv.h"
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86"
    },
    {
        "digest": {
            "line_hashes": [
                "251633914150035957322733061977107206211",
                "338514574181828579838011565939158652696",
                "76638288692106140328510055542557597351",
                "142922657400765574308962710386922248045",
                "71649992455794854055653842592139575350",
                "65527166711110472566013424527579064967",
                "253196866009476977787139000804413898733",
                "172177136897997206866313011107384691461"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2026-45447-e051451f",
        "target": {
            "file": "crypto/opensslv.h"
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8"
    }
]

vanir_signatures_modified

"2026-06-11T08:15:14Z"

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45447.json"