OpenSSL: NULL Pointer Dereference in CMS KeyAgreeRecipientInfo Parsing
CWE-476
NULL Pointer Dereference
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Per the OpenSSL Security Advisory [7th April 2026]: “During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen.” Per NVD: “Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur, resulting in Denial of Service.”
Affected Packages / Versions
- Package:
openssl(3.x) - Latest published version at triage time:
OpenSSL 3.0–3.6 (per upstream advisory) - Affected range:
Per OpenSSL Security Advisory [7th April 2026]: OpenSSL 3.0, 3.3, 3.4, 3.5, and 3.6. OpenSSL 1.0.2 and 1.1.1 are NOT affected. - Patched version:
Per OpenSSL Security Advisory [7th April 2026]: OpenSSL 3.0.20, 3.3.7, 3.4.5, 3.5.6, 3.6.2.
Impact
Per OpenSSL: “Denial of Service for an application.” Severity is rated **Low** by OpenSSL’s own advisory (this differs from NVD’s score of CVSS 7.5 / High — the OpenSSL Security Policy weighting discounts impact paths that require an attacker-supplied CMS message and yield only a crash). Reviewer should reconcile the scoring discrepancy before publication.
Severity Rationale
Severity disagreement on the public record: OpenSSL’s own advisory categorizes this as Low; NVD scores it CVSS 7.5 (High), AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The CVSS reflects unauthenticated network-reachable triggering of an availability-only crash. The OpenSSL Low rating reflects their internal Security Policy.
Fix
Per OpenSSL: “OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2.” Equivalent fixed releases for 3.0/3.3/3.4/3.5 listed above.
Disclosure timeline
- TBDReported to vendor
- Apr 7, 2026Patch released (OpenSSL Security Advisory of that date)
- Apr 7, 2026Public disclosure (OpenSSL Security Advisory)
Fix Commit(s)
References
Discovered by Nathan Sportsman (Praetorian) — per cve-research listing · Published April 29, 2026