HOMEVULNERABILITIESCVE-2026-45446
MEDIUM

CVE-2026-45446

CWE-325Published: June 9, 2026· Updated: Jun 16, 2026

4.8
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:2.3th

Official Description

Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV

(RFC 8452) mishandle the authentication of AAD (Additional Authenticated

Data) with an empty ciphertext allowing a forgery of such messages.

Impact summary: An attacker can forge empty messages with arbitrary AAD

to the victim's application using these ciphers.

AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD

modes: they accept a key, nonce, optional AAD (bytes that are authenticated

but not encrypted), and plaintext, and produces ciphertext plus a 16-byte

tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only

if the tag is verified succesfully.

In OpenSSL's provider implementation of these ciphers, the expected tag is

computed only when decryption function is invoked with non-empty data.

If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without

invocation of the ciphertext update, which can happen when the received

ciphertext length is zero, the tag is never recalculated and still holds its

all-zeros value.

When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty

ciphertext, and all-zeros tag passes authentication under any key they do not

know, single-shot. When AES-SIV is used, for mounting the attack it's

necessary for the application to reuse the decryption context without

resetting the key.

AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since

OpenSSL 3.2.

No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support

either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must

implement their own protocol and use the EVP interface. Also they must skip the

ciphertext update when a message with an empty ciphertext arrives.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this

issue, as these algorithms are not FIPS approved and the affected code is

outside the OpenSSL FIPS module boundary.

NVD Source

Technical Analysis

CVE-2026-45446 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityHigh
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityLow
IntegrityLow
AvailabilityNone
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Vendors & Products

OpenSSL1 product
openssl
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (6)

Quick Facts

CVE IDCVE-2026-45446
CVSS Score4.8 / 10
SeverityMEDIUM
WeaknessCWE-325
CISA KEVNo
EPSS (30d)0.01%
Affected1 vendor
PublishedJun 9, 2026

Related CVEs (CWE-325)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45446 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.