OpenSSL up to 3.4.5/3.5.6/3.6.2/4.0.0 OSSL_CMP_get1_rootCaKeyUpdate certificate validation
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.4 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic was found in OpenSSL up to 3.4.5/3.5.6/3.6.2/4.0.0. Impacted is the function OSSL_CMP_get1_rootCaKeyUpdate. Such manipulation leads to certificate validation.
This vulnerability is uniquely identified as CVE-2026-42769. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is advised.
Details
A vulnerability was found in OpenSSL up to 3.4.5/3.5.6/3.6.2/4.0.0 and classified as problematic. Affected by this issue is the function OSSL_CMP_get1_rootCaKeyUpdate. The manipulation with an unknown input leads to a certificate validation vulnerability. Using CWE to declare the problem leads to CWE-295. The product does not validate, or incorrectly validates, a certificate. Impacted is integrity. CVE summarizes:
Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
The advisory is shared for download at openssl-library.org. This vulnerability is handled as CVE-2026-42769 since 04/29/2026. The exploitation is known to be difficult. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 06/30/2026). The MITRE ATT&CK project declares the attack technique as T1587.003.
The vulnerability scanner Nessus provides a plugin with the ID 320330 (Linux Distros Unpatched Vulnerability : CVE-2026-42769), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 3.4.6, 3.5.7, 3.6.3 or 4.0.1 eliminates this vulnerability.
The vulnerability is also documented in the databases at Tenable (320330) and CERT Bund (WID-SEC-2026-1852). Once again VulDB remains the best source for vulnerability data.
Affected
- Debian Linux
- Amazon Linux 2
- FreeBSD Project FreeBSD OS
- Red Hat Enterprise Linux
- Fedora Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- NetApp FAS
- NetApp AFF
- SUSE openSUSE
- RESF Rocky Linux
- Open Source OpenSSL
Product
Type
Name
Version
License
Website
- Product: https://www.openssl.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.5VulDB Meta Temp Score: 4.4
VulDB Base Score: 3.7
VulDB Temp Score: 3.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
ADP CISA Base Score: 5.3
ADP CISA Vector: 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Certificate validationCWE: CWE-295 / CWE-287
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 320330
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2026-42769
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: OpenSSL 3.4.6/3.5.7/3.6.3/4.0.1
Timeline
04/29/2026 CVE reserved06/09/2026 Advisory disclosed
06/09/2026 VulDB entry created
06/30/2026 VulDB entry last update
Sources
Product: openssl.orgAdvisory: openssl-library.org
Status: Confirmed
CVE: CVE-2026-42769 (🔒)
GCVE (CVE): GCVE-0-2026-42769
GCVE (VulDB): GCVE-100-369572
CERT Bund: WID-SEC-2026-1852 - OpenSSL: Mehrere Schwachstellen
Entry
Created: 06/09/2026 19:08Updated: 06/30/2026 11:07
Changes: 06/09/2026 19:08 (55), 06/09/2026 19:11 (1), 06/11/2026 05:54 (2), 06/13/2026 22:50 (11), 06/30/2026 11:07 (7)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.