High

Out-of-bounds read in OpenSSL CMS password-based decryption

IdentifiersCVE-2026-9076CWE-125· Out-of-bounds Read

CVE-2026-9076 is a low-severity heap out-of-bounds read in OpenSSL's CMS password-based decryption path for RFC 3211 / PWRI key unwrap. When processing attacker-supplied CMS data, the PWRI keyEncryptionAlgorithm OID can select a stream-mode KEK cipher even though the unwrap logic in kek_unwrap_key() performs an RFC check-byte validation that assumes sufficient buffer space based on block-cipher semantics. Because the minimum-length guard is derived from the wrapping cipher block length and there is no requirement that the attacker-selected cipher actually be a block cipher, the allocated heap buffer for the unwrapped key may be too small for the 7-byte check-byte read mandated by the RFC. This can cause a small heap over-read during the unwrap attempt. The issue is reachable in applications that call CMS_decrypt() or CMS_decrypt_set1_password(), including equivalent openssl cms -decrypt -pwri_password usage, on untrusted CMS input. The over-read occurs before password authentication succeeds, so no password knowledge is required. The OpenSSL FIPS modules are not affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can trigger a heap buffer over-read and potentially crash the target process, resulting in denial of service. The advisory states there is no information disclosure because the over-read bytes are not returned or otherwise exposed to the attacker. The read is limited to a few bytes, and a crash generally requires the affected heap allocation to lie at a page boundary with an unmapped following page, making reliable crash triggering less likely under normal allocator behavior.

Mitigation

If you can’t patch tonight, do this now.

Do not process untrusted CMS content with password-based CMS decryption until fixed builds are deployed. Specifically, avoid calling CMS_decrypt() or CMS_decrypt_set1_password() on attacker-controlled CMS data, or isolate and strictly restrict such processing paths. If possible, disable or avoid PWRI/password-based CMS decryption for untrusted inputs. FIPS modules are not affected.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release provided by upstream or your operating system/vendor. The supplied context indicates fixes were issued in OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, 3.0.21, 1.1.1zh, and 1.0.2zq. Apply the vendor update appropriate to the deployed branch and rebuild or restart dependent applications as needed.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A low-severity OpenSSL heap out-of-bounds read in CMS password-based decryption where attacker-controlled cipher selection can bypass length assumptions during PWRI key unwrap, potentially causing denial of service.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-9076

NVD

nvd.nist.gov/vuln/detail/CVE-2026-9076

MITRE CWE · CWE-125

Out-of-bounds Read

github.com

github.com/openssl/security/commit/05b066366842f930fadd9a6e94df98030af431bb

github.com

github.com/openssl/security/commit/3d8d5bc1056b2f62da9fede23fedbf47e85187b0

github.com

github.com/openssl/security/commit/715349a1d7c6db970e6815dafb90915f07307f98

github.com

github.com/openssl/security/commit/77bf00ab13f6ff5e516535432f0328ed70ec0c26

github.com

github.com/openssl/security/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6

openssl-library.org

openssl-library.org/news/secadv/20260609.txt