Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

ASN1_TYPE Type Confusion in OpenSSL PKCS7_digest_from_attributes()

IdentifiersCVE-2026-22796CWE-843

CVE-2026-22796 is a type confusion vulnerability in OpenSSL's legacy PKCS#7 signature verification path, specifically in the PKCS7_digest_from_attributes() function. The function reads the messageDigest attribute from signed PKCS#7 data and accesses an ASN1_TYPE union member without first validating that the attribute type is V_ASN1_OCTET_STRING. When a malformed signed PKCS#7 object supplies an unexpected ASN.1 type, the code dereferences an invalid or NULL pointer through the ASN1_TYPE union, causing a crash during signature verification or when the function is called directly. The issue affects OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, and 1.0.2. The OpenSSL FIPS modules in 3.5, 3.4, 3.3, and 3.0 are not affected because the vulnerable PKCS#7 parsing code is outside the FIPS module boundary.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes an invalid or NULL pointer dereference, resulting in process termination and Denial of Service. Based on the provided content, the impact is limited to availability loss; there is no indication that this issue enables code execution, privilege escalation, or data disclosure. OpenSSL assessed the issue as Low severity.

Mitigation

If you can’t patch tonight, do this now.

Avoid invoking the legacy PKCS#7 verification path on untrusted input where possible, and prefer the CMS API instead of PKCS#7 APIs. Until patched versions are deployed, reduce exposure by preventing applications from processing attacker-supplied malformed signed PKCS#7 data, adding input filtering/validation around PKCS#7 handling, and isolating or sandboxing services that must verify externally supplied PKCS#7 objects.

Remediation

Patch, then assume compromise.

Upgrade to a fixed OpenSSL release for the affected branch. The provided content indicates fixes are included in OpenSSL 3.6.1, 3.5.5, 3.4.4, 3.3.6, 3.0.19, 1.1.1ze, and 1.0.2zn. Downstream vendors should apply their corresponding patched packages or firmware updates. Where feasible, applications should migrate away from the legacy PKCS#7 API to the CMS API, as recommended by OpenSSL.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FreebsdFreebsdapplication
OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

39 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

39 SOURCESView more in app
support hpeNews
Apr 30, 2026
HPESBHF05044 rev.1 - HPE Superdome Flex 280 and Compute Scale-up Server 3200 Platform, Denial of Service Vulnerability

A remote denial-of-service vulnerability affecting HPE Superdome Flex 280 and HPE Compute Scale-up Server 3200 platforms.

Read more
help net securityNews
Mar 2, 2026
IPFire ships its 200th core update with a new domain blocklist and kernel upgrade - Help Net Security

An OpenSSL vulnerability patched by upgrading to OpenSSL 3.6.1 in IPFire Core Update 200.

Read more
f5News
Mar 2, 2026
Weekly Threat Bulletin - February 4th, 2026 | F5 Labs

Unknown (listed among related OpenSSL CVEs, but not described in the content).

Read more
blueteamsecNews
Jan 28, 2026
OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) - Infosec.Pub

Unknown

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity22

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-22796
NVD
nvd.nist.gov/vuln/detail/CVE-2026-22796
MITRE CWE · CWE-843
cwe.mitre.org
Patch
github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
Patch
github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49
Patch
github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
Patch
github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e
Patch
github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
Vendor Advisory
openssl-library.org/news/secadv/20260127.txt
cert-portal.siemens.com
cert-portal.siemens.com/productcert/html/ssa-265688.html