High

Out-of-Bounds Read in OpenSSL CMS Password-Based Decryption

IdentifiersCVE-2026-9076CWE-125· Out-of-bounds Read

CVE-2026-9076 is a low-severity heap out-of-bounds read in OpenSSL's CMS password-based decryption path, specifically during RFC 3211 / PWRI key unwrap processing in kek_unwrap_key(). When OpenSSL processes attacker-supplied CMS data, the attacker can choose the key-encryption algorithm OID in the PWRI keyEncryptionAlgorithm field such that a stream-mode KEK cipher is used instead of a block cipher. The unwrap logic performs an RFC-mandated check-byte test that reads 7 bytes from a heap allocation sized from the wrapped key length. Although there is a minimum-length guard based on the wrapping cipher's block length, that guard is ineffective when the attacker-selected cipher is not a block cipher. As a result, the allocated buffer holding the unwrapped key may be too small for the check-byte read, causing a heap buffer over-read. The issue is reachable in applications that call CMS_decrypt() or CMS_decrypt_set1_password(), including equivalent openssl cms -decrypt -pwri_password usage, on untrusted CMS input. The over-read occurs during unwrap processing before password authentication succeeds, so attacker knowledge of the password is not required. The OpenSSL FIPS modules are not affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause a heap buffer over-read and potentially crash the target process, resulting in denial of service. The advisory states there is no information disclosure because the over-read bytes are not returned to the attacker or otherwise exposed. In practice, a crash requires the small over-read to cross into unmapped memory, such as when the heap allocation ends at a page boundary and the following page is unmapped, which OpenSSL notes is unlikely under normal allocator behavior. No code execution impact is described in the provided content.

Mitigation

If you can’t patch tonight, do this now.

Do not pass untrusted CMS content to CMS_decrypt() or CMS_decrypt_set1_password() until patched. Where operationally feasible, disable or avoid CMS password-based decryption / PWRI processing for untrusted inputs. Prefer rejecting CMS objects that use password recipient info or unexpected key-encryption algorithm OIDs. If exposure cannot be eliminated immediately, isolate the decryption operation in a separate process or sandbox to reduce denial-of-service impact. The content does not provide an official workaround beyond updating.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release. The provided content indicates fixes were included in OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, 3.0.21, 1.1.1zh, and 1.0.2zq, depending on branch. Downstream vendors may also provide patched packages; apply the vendor-supported security update for the affected platform or distribution.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A low-severity OpenSSL heap out-of-bounds read in CMS password-based decryption where attacker-controlled cipher selection can bypass length assumptions during PWRI key unwrap, potentially causing denial of service.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-9076

NVD

nvd.nist.gov/vuln/detail/CVE-2026-9076

MITRE CWE · CWE-125

Out-of-bounds Read

github.com

github.com/openssl/security/commit/05b066366842f930fadd9a6e94df98030af431bb

github.com

github.com/openssl/security/commit/3d8d5bc1056b2f62da9fede23fedbf47e85187b0

github.com

github.com/openssl/security/commit/715349a1d7c6db970e6815dafb90915f07307f98

github.com

github.com/openssl/security/commit/77bf00ab13f6ff5e516535432f0328ed70ec0c26

github.com

github.com/openssl/security/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6

openssl-library.org

openssl-library.org/news/secadv/20260609.txt