CVE-2026-45447

Name of the Vulnerable Software and Affected Versions OpenSSL (affected versions not specified)

Description A use-after-free condition occurs during PKCS#7 signature verification when processing a specially crafted PKCS#7 or S/MIME signed message. Specifically, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, the PKCS7 verify() function may incorrectly free a caller-owned BIO. A subsequent attempt by the calling application to use or free this BIO via BIO free() can lead to process crashes, heap corruption, or potentially remote code execution. Applications utilizing OpenSSL PKCS#7 APIs are affected, while those using CMS APIs are not. FIPS modules in versions 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.