Issued at: 2026-06-13
Updated at: 2026-06-14
Synopsis
Important: openssl security update
Description
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
* openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode output sizing (CVE-2026-7383)
* openssl: OpenSSL: Denial of Service due to heap out-of-bounds read in CMS password-based decryption (CVE-2026-9076)
* openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of service or information disclosure. (CVE-2026-34180)
* openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys (CVE-2026-34181)
* openssl: CMS AuthEnvelopedData Processing May Accept Forged Messages (CVE-2026-34182)
* openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler (CVE-2026-34183)
* openssl: NULL pointer dereference in QUIC server initial packet handling (CVE-2026-42764)
* openssl: Possible NULL Dereference in Password-Based CMS Decryption (CVE-2026-42766)
* openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption (CVE-2026-42767)
* openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() (CVE-2026-42768)
* openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate (CVE-2026-42769)
* openssl: FFC-DH Peer Validation Uses Attacker-Supplied q (CVE-2026-42770)
* openssl: AES-OCB IV Ignored on EVP_Cipher() Path (CVE-2026-45445)
* openssl: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (CVE-2026-45446)
* openssl: Heap Use-After-Free in OpenSSL PKCS7_verify() (CVE-2026-45447)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.