OpenSSL up to 3.4.5/3.5.6/3.6.2/4.0.0 Decryption API CMS_decrypt/PKCS7_decrypt Bleichenbacher covert channel

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
3.6$5k-$25k0.72

Summaryinfo

A vulnerability marked as problematic has been reported in OpenSSL up to 3.4.5/3.5.6/3.6.2/4.0.0. This affects the function CMS_decrypt/PKCS7_decrypt of the component Decryption API. The manipulation leads to covert channel. This vulnerability is traded as CVE-2026-42768. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in OpenSSL up to 3.4.5/3.5.6/3.6.2/4.0.0. This issue affects the function CMS_decrypt/PKCS7_decrypt of the component Decryption API. The manipulation with an unknown input leads to a covert channel vulnerability. Using CWE to declare the problem leads to CWE-514. A covert channel is a path that can be used to transfer information in a way not intended by the system's designers. Impacted is integrity. The summary by CVE is:

Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.

The advisory is shared at openssl-library.org. The identification of this vulnerability is CVE-2026-42768 since 04/29/2026. The exploitation is known to be difficult. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 06/10/2026).

The vulnerability scanner Nessus provides a plugin with the ID 320343 (Linux Distros Unpatched Vulnerability : CVE-2026-42768), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 3.4.6, 3.5.7, 3.6.3 or 4.0.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (320343). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

Name

Version

License

Website

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔒
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 3.7
VulDB Meta Temp Score: 3.6

VulDB Base Score: 3.7
VulDB Temp Score: 3.6
VulDB Vector: 🔒
VulDB Reliability: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍

Exploitinginfo

Class: Covert channel
CWE: CWE-514
CAPEC: 🔒
ATT&CK: 🔒

Physical: No
Local: No
Remote: Yes

Availability: 🔒
Status: Not defined

EPSS Score: 🔒
EPSS Percentile: 🔒

Price Prediction: 🔍
Current Price Estimation: 🔒

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Nessus ID: 320343
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2026-42768

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

0-Day Time: 🔒

Upgrade: OpenSSL 3.4.6/3.5.7/3.6.3/4.0.1

Timelineinfo

04/29/2026 CVE reserved
06/09/2026 +41 days Advisory disclosed
06/09/2026 +0 days VulDB entry created
06/10/2026 +1 days VulDB entry last update

Sourcesinfo

Product: openssl.org

Advisory: openssl-library.org
Status: Confirmed

CVE: CVE-2026-42768 (🔒)
GCVE (CVE): GCVE-0-2026-42768
GCVE (VulDB): GCVE-100-369569

Entryinfo

Created: 06/09/2026 19:07
Updated: 06/10/2026 22:42
Changes: 06/09/2026 19:07 (56), 06/10/2026 22:42 (2)
Complete: 🔍
Cache ID: 216::103

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!