High

NULL Dereference in OpenSSL Certificate Verification with OCSP Checking

IdentifiersCVE-2026-42765CWE-476· NULL Pointer Dereference

CVE-2026-42765 is a NULL pointer dereference in OpenSSL certificate verification logic. The issue occurs when partial-chain verification is enabled together with OCSP response checking for the entire certificate chain. During OCSP response checking, the code assumes the next certificate in the verified chain is available as the issuer and attempts to access it. Although there is handling for self-signed certificates, when X509_V_FLAG_PARTIAL_CHAIN is enabled and the verified chain does not include a self-signed trusted anchor, the issuer for the last certificate in the chain is NULL. Dereferencing that NULL pointer causes the process to crash. The vulnerability affects OpenSSL 4.0.0 before 4.0.1 and 3.6.0 before 3.6.3. The affected code is outside the OpenSSL FIPS module boundary, and no FIPS modules are affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes a process crash, resulting in denial of service. Based on the provided information, the impact is limited to application availability; no evidence is provided for code execution, memory corruption beyond the NULL dereference, confidentiality loss, or integrity compromise. Severity is described as Low because exploitation requires a non-default combination of certificate verification flags.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, avoid enabling the vulnerable flag combination together. Specifically, disable OCSP response checking for the whole chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) or disable partial-chain verification (X509_V_FLAG_PARTIAL_CHAIN). Because both options are disabled by default, applications that do not explicitly enable both settings are not affected.

Remediation

Patch, then assume compromise.

Upgrade to a fixed OpenSSL release: 4.0.1 or later for the 4.0 branch, or 3.6.3 or later for the 3.6 branch. More generally, apply the vendor-provided patch or consume the corrected package from your operating system or distribution channel if OpenSSL is supplied downstream.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security online infoNews

Jun 10, 2026

OpenSSL Security Patches Fix Remote Code Execution Risk

An OpenSSL NULL pointer dereference vulnerability in partial-chain certificate verification and OCSP status response processing that can cause an immediate server crash.

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A low-severity OpenSSL NULL dereference in certificate verification when OCSP checking for the whole chain is combined with partial-chain verification, leading to denial of service.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-42765

NVD

nvd.nist.gov/vuln/detail/CVE-2026-42765

MITRE CWE · CWE-476

NULL Pointer Dereference

Patch

github.com/openssl/openssl/commit/14340b7fa1d444615486bc137014b064e64ec334

Patch

github.com/openssl/openssl/commit/eb345da18ce2216b2f3ade9c2bc23e068487fa97

Vendor Advisory

openssl-library.org/news/secadv/20260609.txt