Low

Bleichenbacher Oracle in OpenSSL CMS_decrypt() and PKCS7_decrypt()

IdentifiersCVE-2026-42768CWE-203

CVE-2026-42768 is a low-severity Bleichenbacher-style adaptive chosen-ciphertext oracle in OpenSSL's CMS_decrypt() and PKCS7_decrypt() handling of RSA PKCS#1 v1.5 Key Transport in CMS/S/MIME messages. The issue affects OpenSSL 4.0.0 before 4.0.1, 3.6.0 before 3.6.3, 3.5.0 before 3.5.7, and 3.4.0 before 3.4.6. In one variant, when the decryption API is used without supplying the recipient certificate, OpenSSL iterates over all KeyTransRecipientInfo entries instead of stopping at the first success. An attacker can craft a message containing two KTRI entries, with one legitimate wrapped CEK and one probe ciphertext, and use application-visible error behavior to test PKCS#1 v1.5 padding validity. In the second variant, when a recipient certificate is supplied but no matching recipient is found, OpenSSL substitutes a random key; if an attacker can compare both the error code and decryption result, this also creates an oracle. The flaw arises from distinguishable decryption behavior around RSA PKCS#1 v1.5 processing, enabling Bleichenbacher-style probing against the victim's private RSA key operations.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can turn the victim application into an RSA decryption or signing oracle. Under the required conditions, an attacker can decrypt arbitrary RSA ciphertexts intended for the victim's private key or forge PKCS#1 v1.5 signatures using that key. Depending on application behavior, this can undermine confidentiality of encrypted CMS/S/MIME content and the integrity or authenticity guarantees associated with RSA private-key operations.

Mitigation

If you can’t patch tonight, do this now.

Provide the recipient certificate when calling CMS_decrypt() or PKCS7_decrypt() to avoid ambiguous RecipientInfo processing. Do not expose distinguishable error codes, decryption success/failure signals, or decryption output differences to untrusted parties. Reduce or eliminate attacker ability to submit arbitrary CMS or S/MIME messages for decryption and observe detailed outcomes. Where possible, avoid RSA PKCS#1 v1.5 key transport in favor of safer constructions. The advisory notes that applications exposing the full remote attack conditions are believed to be unlikely.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release: 4.0.1 or later, 3.6.3 or later, 3.5.7 or later, or 3.4.6 or later, as applicable. The fix enables implicit rejection for RSA PKCS#1 v1.5 Key Transport in EVP_PKEY_decrypt(), aligning behavior with the implicit rejection approach described in draft-irtf-cfrg-rsa-guidance. Applications should also provide the intended recipient certificate to CMS_decrypt() or PKCS7_decrypt() so the correct RecipientInfo is selected explicitly.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

alpinelinuxNews

Jun 13, 2026

Alpine 3.24.1 released | Alpine Linux

An OpenSSL vulnerability addressed in Alpine Linux 3.24.1 as part of the June 9, 2026 advisory.

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A low-severity OpenSSL Bleichenbacher-style oracle vulnerability in CMS_decrypt() and PKCS7_decrypt() that can enable decryption or signing with a victim's private RSA key under narrow conditions.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-42768

NVD

nvd.nist.gov/vuln/detail/CVE-2026-42768

MITRE CWE · CWE-203

cwe.mitre.org

Patch

github.com/openssl/openssl/commit/a2ca7b2d73e0ffc1eae183fe6e1741dac767cb4f

Patch

github.com/openssl/openssl/commit/bbb151a83041705d9d001ed2f9c12f5523e1b54d

Patch

github.com/openssl/openssl/commit/dd68364107a58841c0a2546812518b65d3a23abd

Patch

github.com/openssl/openssl/commit/f04b377be3d821741c86d1f4bf84dee09f3d5c3e

Vendor Advisory

openssl-library.org/news/secadv/20260609.txt