CVE-2026-42765 (GCVE-0-2026-42765)

Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:48
VLAI
Title
NULL Dereference in Certificate Verification with OCSP Checking
Summary
Issue summary: When a partial-chain certificate verification is enabled together with OCSP response checking for the whole chain, a NULL dereference will happen if the verified chain does not have a self-signed trusted anchor, crashing the process. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When performing OCSP response checking for certificates in the verification chain, the code always tries to access the next certificate as the issuer. There is a check for a self-signed certificate. However with the partial chain verification enabled when the chain does not have a self-signed trusted anchor, the issuer will be NULL for the last certificate in the chain. A NULL pointer dereference then happens. This issue affects only applications which enable both OCSP verification of the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial chain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate verification. Both flags are disabled by default. For that reason, we have assigned Low severity to the issue. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Vendor Product Version
OpenSSL OpenSSL Affected: 4.0.0 , < 4.0.1 (semver)
Affected: 3.6.0 , < 3.6.3 (semver)
Create a notification for this product.
Date Public
2026-06-09 14:00
Credits
Joshua Rogers (Aisle Research) Joshua Rogers (Aisle Research) Daniel Kubec
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42765",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T19:35:48.849695Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T19:36:06.889Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.6.3",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Joshua Rogers (Aisle Research)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Joshua Rogers (Aisle Research)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Daniel Kubec"
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: When a partial-chain certificate verification is enabled\u003cbr\u003etogether with OCSP response checking for the whole chain, a NULL dereference\u003cbr\u003ewill happen if the verified chain does not have a self-signed trusted anchor,\u003cbr\u003ecrashing the process.\u003cbr\u003e\u003cbr\u003eImpact summary: A NULL pointer dereference can trigger a crash which leads to a\u003cbr\u003eDenial of Service for an application.\u003cbr\u003e\u003cbr\u003eWhen performing OCSP response checking for certificates in the verification\u003cbr\u003echain, the code always tries to access the next certificate as the issuer.\u003cbr\u003eThere is a check for a self-signed certificate. However with the partial\u003cbr\u003echain verification enabled when the chain does not have a self-signed trusted\u003cbr\u003eanchor, the issuer will be NULL for the last certificate in the chain. A NULL\u003cbr\u003epointer dereference then happens.\u003cbr\u003e\u003cbr\u003eThis issue affects only applications which enable both OCSP verification\u003cbr\u003eof the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial\u003cbr\u003echain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate\u003cbr\u003everification. Both flags are disabled by default. For that reason, we have\u003cbr\u003eassigned Low severity to the issue.\u003cbr\u003e\u003cbr\u003eNo FIPS modules are affected by this issue as the affected code is outside\u003cbr\u003ethe OpenSSL FIPS module boundary."
            }
          ],
          "value": "Issue summary: When a partial-chain certificate verification is enabled\ntogether with OCSP response checking for the whole chain, a NULL dereference\nwill happen if the verified chain does not have a self-signed trusted anchor,\ncrashing the process.\n\nImpact summary: A NULL pointer dereference can trigger a crash which leads to a\nDenial of Service for an application.\n\nWhen performing OCSP response checking for certificates in the verification\nchain, the code always tries to access the next certificate as the issuer.\nThere is a check for a self-signed certificate. However with the partial\nchain verification enabled when the chain does not have a self-signed trusted\nanchor, the issuer will be NULL for the last certificate in the chain. A NULL\npointer dereference then happens.\n\nThis issue affects only applications which enable both OCSP verification\nof the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial\nchain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate\nverification. Both flags are disabled by default. For that reason, we have\nassigned Low severity to the issue.\n\nNo FIPS modules are affected by this issue as the affected code is outside\nthe OpenSSL FIPS module boundary."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Low"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T07:48:00.427Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "name": "4.0.1 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/14340b7fa1d444615486bc137014b064e64ec334"
        },
        {
          "name": "3.6.3 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/eb345da18ce2216b2f3ade9c2bc23e068487fa97"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "NULL Dereference in Certificate Verification with OCSP Checking",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2026-42765",
    "datePublished": "2026-06-09T16:03:25.934Z",
    "dateReserved": "2026-04-29T09:22:27.968Z",
    "dateUpdated": "2026-06-10T07:48:00.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42765",
      "date": "2026-06-19",
      "epss": "0.00408",
      "percentile": "0.32377"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42765\",\"sourceIdentifier\":\"openssl-security@openssl.org\",\"published\":\"2026-06-09T17:17:07.843\",\"lastModified\":\"2026-06-15T18:14:04.933\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Issue summary: When a partial-chain certificate verification is enabled\\ntogether with OCSP response checking for the whole chain, a NULL dereference\\nwill happen if the verified chain does not have a self-signed trusted anchor,\\ncrashing the process.\\n\\nImpact summary: A NULL pointer dereference can trigger a crash which leads to a\\nDenial of Service for an application.\\n\\nWhen performing OCSP response checking for certificates in the verification\\nchain, the code always tries to access the next certificate as the issuer.\\nThere is a check for a self-signed certificate. However with the partial\\nchain verification enabled when the chain does not have a self-signed trusted\\nanchor, the issuer will be NULL for the last certificate in the chain. A NULL\\npointer dereference then happens.\\n\\nThis issue affects only applications which enable both OCSP verification\\nof the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial\\nchain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate\\nverification. Both flags are disabled by default. For that reason, we have\\nassigned Low severity to the issue.\\n\\nNo FIPS modules are affected by this issue as the affected code is outside\\nthe OpenSSL FIPS module boundary.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"openssl-security@openssl.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.6.0\",\"versionEndExcluding\":\"3.6.3\",\"matchCriteriaId\":\"D41B3C45-EC73-4DC8-989D-B2E2792E102F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E881B9A-1A0A-4BC0-8160-20C00561167D\"}]}]}],\"references\":[{\"url\":\"https://github.com/openssl/openssl/commit/14340b7fa1d444615486bc137014b064e64ec334\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openssl/openssl/commit/eb345da18ce2216b2f3ade9c2bc23e068487fa97\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://openssl-library.org/news/secadv/20260609.txt\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42765\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-09T19:35:48.849695Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-09T19:36:01.956Z\"}}], \"cna\": {\"title\": \"NULL Dereference in Certificate Verification with OCSP Checking\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Joshua Rogers (Aisle Research)\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Joshua Rogers (Aisle Research)\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Daniel Kubec\"}], \"metrics\": [{\"other\": {\"type\": \"https://openssl-library.org/policies/general/security-policy/\", \"content\": {\"text\": \"Low\"}}, \"format\": \"other\"}], \"affected\": [{\"vendor\": \"OpenSSL\", \"product\": \"OpenSSL\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"4.0.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.6.0\", \"lessThan\": \"3.6.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-06-09T14:00:00.000Z\", \"references\": [{\"url\": \"https://openssl-library.org/news/secadv/20260609.txt\", \"name\": \"OpenSSL Advisory\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/14340b7fa1d444615486bc137014b064e64ec334\", \"name\": \"4.0.1 git commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openssl/openssl/commit/eb345da18ce2216b2f3ade9c2bc23e068487fa97\", \"name\": \"3.6.3 git commit\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Issue summary: When a partial-chain certificate verification is enabled\\ntogether with OCSP response checking for the whole chain, a NULL dereference\\nwill happen if the verified chain does not have a self-signed trusted anchor,\\ncrashing the process.\\n\\nImpact summary: A NULL pointer dereference can trigger a crash which leads to a\\nDenial of Service for an application.\\n\\nWhen performing OCSP response checking for certificates in the verification\\nchain, the code always tries to access the next certificate as the issuer.\\nThere is a check for a self-signed certificate. However with the partial\\nchain verification enabled when the chain does not have a self-signed trusted\\nanchor, the issuer will be NULL for the last certificate in the chain. A NULL\\npointer dereference then happens.\\n\\nThis issue affects only applications which enable both OCSP verification\\nof the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial\\nchain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate\\nverification. Both flags are disabled by default. For that reason, we have\\nassigned Low severity to the issue.\\n\\nNo FIPS modules are affected by this issue as the affected code is outside\\nthe OpenSSL FIPS module boundary.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Issue summary: When a partial-chain certificate verification is enabled\u003cbr\u003etogether with OCSP response checking for the whole chain, a NULL dereference\u003cbr\u003ewill happen if the verified chain does not have a self-signed trusted anchor,\u003cbr\u003ecrashing the process.\u003cbr\u003e\u003cbr\u003eImpact summary: A NULL pointer dereference can trigger a crash which leads to a\u003cbr\u003eDenial of Service for an application.\u003cbr\u003e\u003cbr\u003eWhen performing OCSP response checking for certificates in the verification\u003cbr\u003echain, the code always tries to access the next certificate as the issuer.\u003cbr\u003eThere is a check for a self-signed certificate. However with the partial\u003cbr\u003echain verification enabled when the chain does not have a self-signed trusted\u003cbr\u003eanchor, the issuer will be NULL for the last certificate in the chain. A NULL\u003cbr\u003epointer dereference then happens.\u003cbr\u003e\u003cbr\u003eThis issue affects only applications which enable both OCSP verification\u003cbr\u003eof the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial\u003cbr\u003echain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate\u003cbr\u003everification. Both flags are disabled by default. For that reason, we have\u003cbr\u003eassigned Low severity to the issue.\u003cbr\u003e\u003cbr\u003eNo FIPS modules are affected by this issue as the affected code is outside\u003cbr\u003ethe OpenSSL FIPS module boundary.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476 NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"shortName\": \"openssl\", \"dateUpdated\": \"2026-06-10T07:48:00.427Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42765\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-10T07:48:00.427Z\", \"dateReserved\": \"2026-04-29T09:22:27.968Z\", \"assignerOrgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"datePublished\": \"2026-06-09T16:03:25.934Z\", \"assignerShortName\": \"openssl\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.