Critical

Heap Use-After-Free in OpenSSL PKCS7_verify()

IdentifiersCVE-2026-45447CWE-416· Use After Free

CVE-2026-45447 is a high-severity use-after-free vulnerability in OpenSSL's PKCS#7 signature verification path. When an application processes a specially crafted PKCS#7 or S/MIME signed message via the PKCS#7 APIs, and the SignedData digestAlgorithms field is encoded as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). If the application subsequently reuses or frees that BIO, a use-after-free condition occurs. In the common case, this is triggered when the caller later invokes BIO_free() on the same BIO originally passed to PKCS7_verify(). The issue affects applications using OpenSSL PKCS#7 APIs for PKCS#7 or S/MIME signed message verification; the CMS APIs are explicitly stated to be unaffected. Reported affected versions are OpenSSL 4.0.0 before 4.0.1, 3.6.0 before 3.6.3, 3.5.0 before 3.5.7, 3.4.0 before 3.4.6, 3.0.0 before 3.0.21, 1.1.1 before 1.1.1zh, and 1.0.2 before 1.0.2zq. The OpenSSL FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected because the vulnerable code is outside the FIPS module boundary.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause process crashes, heap corruption, and potentially remote code execution, depending on allocator behavior and how the application uses the freed BIO after PKCS7_verify() returns. At minimum, this is a denial-of-service condition in affected applications that verify attacker-supplied PKCS#7 or S/MIME signed content. In some application contexts, the memory corruption may be exploitable beyond a crash.

Mitigation

If you can’t patch tonight, do this now.

Until patched, avoid processing untrusted PKCS#7 or S/MIME signed messages through the affected OpenSSL PKCS#7 verification APIs. Where operationally possible, disable or isolate PKCS#7/S/MIME verification of attacker-controlled content, or switch to the unaffected CMS APIs for equivalent processing. There is no general workaround that fully eliminates risk short of updating or avoiding the vulnerable code path.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release: 4.0.1 or later, 3.6.3 or later, 3.5.7 or later, 3.4.6 or later, 3.0.21 or later, 1.1.1zh or later, or 1.0.2zq or later, as applicable to the supported branch in use. Downstream consumers should apply vendor-supplied updates from their operating system or distribution if they do not build OpenSSL directly. If the application currently uses PKCS#7 APIs for signed-message verification, migrate that processing to the CMS APIs where feasible, as the advisory states CMS APIs are not affected.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

25 SOURCESView more in app

security online infoNews

Jun 10, 2026

OpenSSL Security Patches Fix Remote Code Execution Risk

A critical heap-based use-after-free/memory corruption vulnerability in OpenSSL PKCS#7/S/MIME signature verification routines that may lead to remote code execution or server disruption when crafted signed messages are processed.

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A high-severity OpenSSL use-after-free in PKCS7_verify() triggered by crafted PKCS#7 or S/MIME signed messages, potentially causing crashes, heap corruption, or remote code execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity21

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-45447

NVD

nvd.nist.gov/vuln/detail/CVE-2026-45447

MITRE CWE · CWE-416

Use After Free

github.com

github.com/openssl/security/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c

github.com

github.com/openssl/security/commit/7d4a980c62258c5910cc883936e0c8dbab4d75a8

github.com

github.com/openssl/security/commit/9dfd688ad2290fc5075cacbc9bf0c9a93eefed54

github.com

github.com/openssl/security/commit/a541ae8bfe849a30cc885e8780715c0f488e496c

github.com

github.com/openssl/security/commit/c505d7559da5d5f9f2c3913c6883a5562ce7273e

openssl-library.org

openssl-library.org/news/secadv/20260609.txt