Openssl · Openssl · CVE-2026-42766
**Name of the Vulnerable Software and Affected Versions**
OpenSSL (affected versions not specified)
**Description**
A NULL pointer dereference can occur during the decryption of password-encrypted Cryptographic Message Syntax (CMS) messages. The issue arises because the OpenSSL CMS implementation dereferences the `PasswordRecipientInfo.keyDerivationAlgorithm` field without verifying its presence, despite it being defined as optional in the ASN.1 specification. An attacker can exploit this by providing a specially crafted CMS message, causing the application to crash and resulting in a Denial of Service.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.