Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2026:26275
Vulnerability from osv_almalinux
Published
2026-06-16 00:00
Modified
2026-06-17 09:39
Summary
Important: openssl security update
Details
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
- openssl: Use After Free with SSL_free_buffers (CVE-2024-4741)
- openssl: Heap Use-After-Free in OpenSSL PKCS7_verify() (CVE-2026-45447)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "openssl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.1.1k-16.el8_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "openssl-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.1.1k-16.el8_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "openssl-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.1.1k-16.el8_6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "openssl-perl"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:1.1.1k-16.el8_6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. \n\nSecurity Fix(es): \n\n * openssl: Use After Free with SSL_free_buffers (CVE-2024-4741)\n * openssl: Heap Use-After-Free in OpenSSL PKCS7_verify() (CVE-2026-45447)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:26275",
"modified": "2026-06-17T09:39:53Z",
"published": "2026-06-16T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:26275"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2024-4741"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-45447"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2283757"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2481898"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2026-26275.html"
}
],
"related": [
"CVE-2024-4741",
"CVE-2026-45447"
],
"summary": "Important: openssl security update"
}
CVE-2024-4741 (GCVE-0-2024-4741)
Vulnerability from cvelistv5 – Published: 2024-11-13 10:20 – Updated: 2025-11-04 17:26
VLAI
EPSS
Title
Use After Free with SSL_free_buffers
Summary
Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause
memory to be accessed that was previously freed in some situations
Impact summary: A use after free can have a range of potential consequences such
as the corruption of valid data, crashes or execution of arbitrary code.
However, only applications that directly call the SSL_free_buffers function are
affected by this issue. Applications that do not call this function are not
vulnerable. Our investigations indicate that this function is rarely used by
applications.
The SSL_free_buffers function is used to free the internal OpenSSL buffer used
when processing an incoming record from the network. The call is only expected
to succeed if the buffer is not currently in use. However, two scenarios have
been identified where the buffer is freed even when still in use.
The first scenario occurs where a record header has been received from the
network and processed by OpenSSL, but the full record body has not yet arrived.
In this case calling SSL_free_buffers will succeed even though a record has only
been partially processed and the buffer is still in use.
The second scenario occurs where a full record containing application data has
been received and processed by OpenSSL but the application has only read part of
this data. Again a call to SSL_free_buffers will succeed even though the buffer
is still in use.
While these scenarios could occur accidentally during normal operation a
malicious attacker could attempt to engineer a stituation where this occurs.
We are not aware of this issue being actively exploited.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://www.openssl.org/news/secadv/20240528.txt | vendor-advisory |
| https://github.com/openssl/openssl/commit/e509313… | patch |
| https://github.com/openssl/openssl/commit/c88c3de… | patch |
| https://github.com/openssl/openssl/commit/704f725… | patch |
| https://github.com/openssl/openssl/commit/b3f0eb0… | patch |
| https://github.openssl.org/openssl/extended-relea… | patch |
| https://lists.debian.org/debian-lts-announce/2024… | |
| https://lists.debian.org/debian-lts-announce/2024… | |
| https://security.netapp.com/advisory/ntap-2024062… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| OpenSSL | OpenSSL |
Affected:
3.3.0 , < 3.3.1
(semver)
Affected: 3.2.0 , < 3.2.2 (semver) Affected: 3.1.0 , < 3.1.6 (semver) Affected: 3.0.0 , < 3.0.14 (semver) Affected: 1.1.1 , < 1.1.1y (custom) |
|
| openssl | openssl |
Affected:
1.1.1 , < 1.1.1y
(semver)
Affected: 3.0.0 , < 3.0.14 (semver) Affected: 3.1.0 , < 3.1.6 (semver) Affected: 3.2.0 , < 3.2.2 (semver) Affected: 3.3.0 , < 3.3.1 (semver) cpe:2.3:a:openssl:openssl:-:*:*:*:*:*:*:* |
Date Public
2024-05-27 23:00
Credits
William Ahern (Akamai)
Matt Caswell
Watson Ladd (Akamai)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openssl:openssl:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openssl",
"vendor": "openssl",
"versions": [
{
"lessThan": "1.1.1y",
"status": "affected",
"version": "1.1.1",
"versionType": "semver"
},
{
"lessThan": "3.0.14",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "3.1.6",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-4741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T14:45:07.092438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T14:49:05.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T17:26:59.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240621-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "3.2.2",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
},
{
"lessThan": "3.1.6",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.0.14",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1y",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "William Ahern (Akamai)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Matt Caswell"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Watson Ladd (Akamai)"
}
],
"datePublic": "2024-05-27T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\u003cbr\u003ememory to be accessed that was previously freed in some situations\u003cbr\u003e\u003cbr\u003eImpact summary: A use after free can have a range of potential consequences such\u003cbr\u003eas the corruption of valid data, crashes or execution of arbitrary code.\u003cbr\u003eHowever, only applications that directly call the SSL_free_buffers function are\u003cbr\u003eaffected by this issue. Applications that do not call this function are not\u003cbr\u003evulnerable. Our investigations indicate that this function is rarely used by\u003cbr\u003eapplications.\u003cbr\u003e\u003cbr\u003eThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\u003cbr\u003ewhen processing an incoming record from the network. The call is only expected\u003cbr\u003eto succeed if the buffer is not currently in use. However, two scenarios have\u003cbr\u003ebeen identified where the buffer is freed even when still in use.\u003cbr\u003e\u003cbr\u003eThe first scenario occurs where a record header has been received from the\u003cbr\u003enetwork and processed by OpenSSL, but the full record body has not yet arrived.\u003cbr\u003eIn this case calling SSL_free_buffers will succeed even though a record has only\u003cbr\u003ebeen partially processed and the buffer is still in use.\u003cbr\u003e\u003cbr\u003eThe second scenario occurs where a full record containing application data has\u003cbr\u003ebeen received and processed by OpenSSL but the application has only read part of\u003cbr\u003ethis data. Again a call to SSL_free_buffers will succeed even though the buffer\u003cbr\u003eis still in use.\u003cbr\u003e\u003cbr\u003eWhile these scenarios could occur accidentally during normal operation a\u003cbr\u003emalicious attacker could attempt to engineer a stituation where this occurs.\u003cbr\u003eWe are not aware of this issue being actively exploited.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue."
}
],
"value": "Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause\nmemory to be accessed that was previously freed in some situations\n\nImpact summary: A use after free can have a range of potential consequences such\nas the corruption of valid data, crashes or execution of arbitrary code.\nHowever, only applications that directly call the SSL_free_buffers function are\naffected by this issue. Applications that do not call this function are not\nvulnerable. Our investigations indicate that this function is rarely used by\napplications.\n\nThe SSL_free_buffers function is used to free the internal OpenSSL buffer used\nwhen processing an incoming record from the network. The call is only expected\nto succeed if the buffer is not currently in use. However, two scenarios have\nbeen identified where the buffer is freed even when still in use.\n\nThe first scenario occurs where a record header has been received from the\nnetwork and processed by OpenSSL, but the full record body has not yet arrived.\nIn this case calling SSL_free_buffers will succeed even though a record has only\nbeen partially processed and the buffer is still in use.\n\nThe second scenario occurs where a full record containing application data has\nbeen received and processed by OpenSSL but the application has only read part of\nthis data. Again a call to SSL_free_buffers will succeed even though the buffer\nis still in use.\n\nWhile these scenarios could occur accidentally during normal operation a\nmalicious attacker could attempt to engineer a stituation where this occurs.\nWe are not aware of this issue being actively exploited.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Low"
},
"type": "https://www.openssl.org/policies/secpolicy.html"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T10:20:50.711Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.openssl.org/news/secadv/20240528.txt"
},
{
"name": "3.3.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/e5093133c35ca82874ad83697af76f4b0f7e3bd8"
},
{
"name": "3.2.2 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/c88c3de51020c37e8706bf7a682a162593053aac"
},
{
"name": "3.1.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/704f725b96aa373ee45ecfb23f6abfe8be8d9177"
},
{
"name": "3.0.14 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d"
},
{
"name": "1.1.1y git commit",
"tags": [
"patch"
],
"url": "https://github.openssl.org/openssl/extended-releases/commit/f7a045f3143fc6da2ee66bf52d8df04829590dd4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use After Free with SSL_free_buffers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2024-4741",
"datePublished": "2024-11-13T10:20:50.711Z",
"dateReserved": "2024-05-10T09:56:11.310Z",
"dateUpdated": "2025-11-04T17:26:59.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45447 (GCVE-0-2026-45447)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-07-01 12:04
VLAI
EPSS
Title
Heap Use-After-Free in the PKCS7_verify() Function
Summary
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could
trigger a use-after-free during PKCS#7 signature verification.
Impact summary: A use-after-free may result in process crashes, heap
corruption, or potentially remote code execution.
When processing a PKCS#7 or S/MIME signed message, if the SignedData
digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may
incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent
use of the BIO by the calling application results in a use-after-free
condition.
In the common case this occurs when the application later calls
BIO_free() on the BIO originally passed to PKCS7_verify(). Depending
on allocator behavior and application-specific BIO usage patterns, this
may result in a crash or other memory corruption. In some application
contexts this may potentially be exploitable for remote code execution.
Applications that process PKCS#7 or S/MIME signed messages using OpenSSL
PKCS#7 APIs may be affected. Applications using the CMS APIs for this
processing are not affected.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Severity
8.8 (High)
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
15 references
| URL | Tags |
|---|---|
| https://openssl-library.org/news/secadv/20260609.txt | vendor-advisory |
| https://github.com/openssl/openssl/commit/3aad5eb… | patch |
| https://github.com/openssl/openssl/commit/c505d75… | patch |
| https://github.com/openssl/openssl/commit/7d4a980… | patch |
| https://github.com/openssl/openssl/commit/a541ae8… | patch |
| https://github.com/openssl/openssl/commit/9dfd688… | patch |
| https://access.redhat.com/security/cve/CVE-2026-45447 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2481898 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:25237 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25239 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26275 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:29197 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:34102 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:26319 | vendor-advisoryx_refsource_REDHAT |
Impacted products
18 products
| Vendor | Product | Version | |
|---|---|---|---|
| OpenSSL | OpenSSL |
Affected:
4.0.0 , < 4.0.1
(semver)
Affected: 3.6.0 , < 3.6.3 (semver) Affected: 3.5.0 , < 3.5.7 (semver) Affected: 3.4.0 , < 3.4.6 (semver) Affected: 3.0.0 , < 3.0.21 (semver) Affected: 1.1.1 , < 1.1.1zh (custom) Affected: 1.0.2 , < 1.0.2zq (custom) |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux AppStream (v. 9) |
cpe:/a:redhat:enterprise_linux:9::appstream |
|
| Red Hat | Red Hat Enterprise Linux BaseOS (v. 10) |
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux BaseOS (v. 8) |
cpe:/o:redhat:enterprise_linux:8::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6) |
cpe:/o:redhat:rhel_eus_long_life:8.6::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS E4S (v.8.8) |
cpe:/o:redhat:rhel_e4s:8.8::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS TUS (v.8.8) |
cpe:/o:redhat:rhel_tus:8.8::baseos |
|
| Red Hat | Red Hat Enterprise Linux BaseOS (v. 9) |
cpe:/o:redhat:enterprise_linux:9::baseos |
|
| Red Hat | Red Hat Discovery 2 |
cpe:/a:redhat:discovery:2::el9 |
|
| Red Hat | Red Hat Insights proxy 1.5 |
cpe:/a:redhat:insights_proxy:1.5::el9 |
|
| Red Hat | Red Hat Update Infrastructure 5 |
cpe:/a:redhat:rhui:5::el9 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
Date Public
2026-06-09 14:00
Credits
Thai Duong (Calif.io in collaboration with Claude and Anthropic Research)
Igor Ustinov
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T03:59:38.212378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T13:32:20.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux AppStream (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 10)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_eus_long_life:8.6::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_e4s:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:rhel_tus:8.8::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux BaseOS (v. 9)",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:discovery:2::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Discovery 2",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:insights_proxy:1.5::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Insights proxy 1.5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:rhui:5::el9"
],
"defaultStatus": "affected",
"product": "Red Hat Update Infrastructure 5",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenSSL. When processing a specially crafted PKCS#7 or S/MIME (Secure/Multipurpose Internet Mail Extensions) signed message, a heap use-after-free vulnerability in the PKCS7_verify() function can be triggered. This occurs if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, leading to incorrect memory deallocation. A remote attacker could exploit this to cause application crashes, memory corruption, or potentially achieve remote code execution."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-825",
"description": "Expired Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T12:04:41.339Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-45447"
},
{
"name": "RHBZ#2481898",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45447.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25237"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25239"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26275"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:29197"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:34102"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26319"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:25237: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)"
},
{
"lang": "en",
"value": "RHSA-2026:25239: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)"
},
{
"lang": "en",
"value": "RHSA-2026:26275: Red Hat Enterprise Linux BaseOS (v. 8), Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
},
{
"lang": "en",
"value": "RHSA-2026:29197: Red Hat Discovery 2"
},
{
"lang": "en",
"value": "RHSA-2026:34102: Red Hat Insights proxy 1.5"
},
{
"lang": "en",
"value": "RHSA-2026:26319: Red Hat Update Infrastructure 5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T14:17:46.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-09T00:00:00.000Z",
"value": "Made public."
}
],
"title": "openssl: Heap Use-After-Free in OpenSSL PKCS7_verify()",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "3.6.3",
"status": "affected",
"version": "3.6.0",
"versionType": "semver"
},
{
"lessThan": "3.5.7",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"lessThan": "3.4.6",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1zh",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.0.2zq",
"status": "affected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Thai Duong (Calif.io in collaboration with Claude and Anthropic Research)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Igor Ustinov"
}
],
"datePublic": "2026-06-09T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\u003cbr\u003etrigger a use-after-free during PKCS#7 signature verification.\u003cbr\u003e\u003cbr\u003eImpact summary: A use-after-free may result in process crashes, heap\u003cbr\u003ecorruption, or potentially remote code execution.\u003cbr\u003e\u003cbr\u003eWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\u003cbr\u003edigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\u003cbr\u003eincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\u003cbr\u003euse of the BIO by the calling application results in a use-after-free\u003cbr\u003econdition.\u003cbr\u003e\u003cbr\u003eIn the common case this occurs when the application later calls\u003cbr\u003eBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\u003cbr\u003eon allocator behavior and application-specific BIO usage patterns, this\u003cbr\u003emay result in a crash or other memory corruption. In some application\u003cbr\u003econtexts this may potentially be exploitable for remote code execution.\u003cbr\u003e\u003cbr\u003eApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\u003cbr\u003ePKCS#7 APIs may be affected. Applications using the CMS APIs for this\u003cbr\u003eprocessing are not affected.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\u003cbr\u003eissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"value": "Issue summary: A specially crafted PKCS#7 or S/MIME signed message could\ntrigger a use-after-free during PKCS#7 signature verification.\n\nImpact summary: A use-after-free may result in process crashes, heap\ncorruption, or potentially remote code execution.\n\nWhen processing a PKCS#7 or S/MIME signed message, if the SignedData\ndigestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may\nincorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent\nuse of the BIO by the calling application results in a use-after-free\ncondition.\n\nIn the common case this occurs when the application later calls\nBIO_free() on the BIO originally passed to PKCS7_verify(). Depending\non allocator behavior and application-specific BIO usage patterns, this\nmay result in a crash or other memory corruption. In some application\ncontexts this may potentially be exploitable for remote code execution.\n\nApplications that process PKCS#7 or S/MIME signed messages using OpenSSL\nPKCS#7 APIs may be affected. Applications using the CMS APIs for this\nprocessing are not affected.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "High"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:48:15.381Z",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20260609.txt"
},
{
"name": "4.0.1 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c"
},
{
"name": "3.6.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e"
},
{
"name": "3.5.7 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8"
},
{
"name": "3.4.6 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/a541ae8bfe849a30cc885e8780715c0f488e496c"
},
{
"name": "3.0.21 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Use-After-Free in the PKCS7_verify() Function",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2026-45447",
"datePublished": "2026-06-09T16:03:32.914Z",
"dateReserved": "2026-05-12T14:34:06.277Z",
"dateUpdated": "2026-07-01T12:04:41.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…