CVE-2026-22796

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.2 through 3.6

Description A type confusion issue exists in the signature verification of signed PKCS#7 data. This occurs when an ASN1 TYPE union member is accessed without first validating the type, potentially leading to an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Exploiting this requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of exploitation is a denial-of-service. The vulnerable code is within the PKCS7 digest from attributes() function, which accesses the message digest attribute value without validating its type. This can result in accessing invalid memory through the ASN1 TYPE union, causing a crash. The PKCS7 API is considered legacy, and applications should use the CMS API instead.

Recommendations OpenSSL version 1.0.2: Update to a newer version. OpenSSL versions 1.1.1 through 3.6: Update to the latest version.