CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 10, 2026

Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks

Cybersecurity News Archived Jun 10, 2026 ✓ Full text saved

A security advisory from OpenSSL on June 9, 2026, warns of a critical vulnerability that could allow remote code execution when applications process specially crafted PKCS7 or S/MIME signed messages. The flaw, tracked as CVE‑2026‑45447, is a heap use‑after‑free bug in the PKCS7_verify function that can corrupt memory and, in some deployment scenarios, allow attackers to run arbitrary […] The post Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks appeared first on Cyber Securi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks By Abinaya June 10, 2026 A security advisory from OpenSSL on June 9, 2026, warns of a critical vulnerability that could allow remote code execution when applications process specially crafted PKCS7 or S/MIME signed messages. The flaw, tracked as CVE‑2026‑45447, is a heap use‑after‑free bug in the PKCS7_verify function that can corrupt memory and, in some deployment scenarios, allow attackers to run arbitrary code on vulnerable systems. The issue occurs when a signed message contains an empty SignedData.digestAlgorithms ASN.1 SET, which causes OpenSSL to free a BIO object owned by the calling application while still leaving that application unaware of the change. If the application later reuses or frees the same BIO, it may encounter a use‑after‑free condition that can result in crashes, heap corruption, or controlled exploitation, depending on the allocator’s behavior and how the BIO is managed. Critical OpenSSL RCE Vulnerabilities The vulnerability affects applications that use OpenSSL’s PKCS7 APIs to verify PKCS7 or S/MIME signatures. In contrast, those that rely on the CMS APIs for the same functionality are not impacted. The advisory states that OpenSSL versions 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1, and 1.0.2 are all vulnerable to CVE‑2026‑45447, and it provides patched releases for each affected branch. Administrators are urged to upgrade to OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, or 3.0.21, while customers with extended support for legacy lines should move to 1.1.1zh or 1.0.2zq. The FIPS modules for 4.0, 3.6, 3.5, 3.4, and 3.0 are not impacted by this particular issue, as the vulnerable code lies outside the FIPS boundary. Alongside the critical PKCS7 bug, the advisory details numerous additional vulnerabilities, ranging from high to moderate severity, targeting different parts of the OpenSSL codebase. These include weaknesses in CMS AuthEnvelopedData processing that can grant key‑equivalent capabilities or integrity bypass. QUIC logic flaws that enable denial‑of‑service through memory exhaustion or NULL pointer dereferences. An AES‑OCB misuse issue where IVs are silently ignored when using the low‑level EVP_Cipher interface, breaking nonce uniqueness and tag authenticity. Several ASN.1 parsing bugs, PKCS12 PBMAC1 validation issues, CMS password‑based decryption problems. CMP handling flaws also appear, many of which primarily lead to denial‑of‑service but in some cases may enable more advanced cryptographic attacks. OpenSSL’s own protocols such as TLS, QUIC, CMS, PKCS7, HPKE, and S/MIME are affected in different combinations depending on the specific vulnerability, configuration, and feature usage. However, some of the most dangerous cryptographic weaknesses affect only custom applications that use low‑level EVP primitives or implement bespoke messaging protocols on top of OpenSSL. Especially when they fail to enforce strict input validation or rely on error codes as oracles. The OpenSSL team recommends that organizations not only patch to the latest versions but also audit their use of PKCS7, CMS, QUIC, AES‑OCB, AES‑SIV, and PKCS12 workflows to identify any high‑risk exposure. Where upgrading is delayed, turn off nonessential features such as OCSP stapling and vulnerable PKCS7‑based paths as an interim hardening step. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News 21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials 73 Microsoft Packages Weaponized to Deploy Password Stealer Malware New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords Latest News Cyber Security News 73 Microsoft Packages Weaponized to Deploy Password Stealer Malware Cyber Security News Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain Cyber Security News Hackers Abuse TikTok and Instagram Reels to Spread Malware via Fake Free Software Tutorials Cyber Security Windows BitLocker 0-Day Vulnerability Allows Attackers to Bypass Security Feature Cyber Security Anthropic Released Claude Fable 5, the First Model in Mythos Class
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗