HOMEVULNERABILITIESCVE-2026-9076
HIGH

CVE-2026-9076

CWE-125Published: June 9, 2026· Updated: Jun 16, 2026

7.5
CVSS v3.1
EPSS:0.10%probability of exploitation in 30 daysPercentile:26.5th

Official Description

Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap)

processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK

cipher can trigger a heap out-of-bounds read in kek_unwrap_key().

Impact summary: A heap buffer over-read may trigger a crash which leads to

Denial of Service for an application if the input buffer ends at a memory

page boundary and the following page is unmapped. There is no information

disclosure as the over-read bytes are not revealed to the attacker.

The key unwrapping function performs a check-byte test as specified in the

RFC that reads 7 bytes from a heap allocation that is based on the wrapped

key length from the message. There is a minimum length check based on the

block length of the wrapping cipher. However the cipher is selected from

an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no

requirement that the cipher be a block cipher. When an attacker selects

a stream-mode cipher the guard will be ineffective and the allocated buffer

containing the unwrapped key can be too small to fit the check-bytes

specified in the RFC and a buffer over-read can happen.

Applications calling CMS_decrypt() or CMS_decrypt_set1_password()

(equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS

data are vulnerable to this issue. No password knowledge is required: the

over-read happens during the unwrap attempt before any authentication

succeeds.

The over-read is limited to a few bytes and is not written to output, so

there is no information disclosure. Triggering a crash requires the

allocation to border unmapped memory, which is unlikely with the normal

allocator.

The FIPS modules are not affected by this issue.

NVD Source

Technical Analysis

CVE-2026-9076 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

OpenSSL1 product
openssl
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (6)

Quick Facts

CVE IDCVE-2026-9076
CVSS Score7.5 / 10
SeverityHIGH
WeaknessCWE-125
CISA KEVNo
EPSS (30d)0.10%
Affected1 vendor
PublishedJun 9, 2026

Related CVEs (CWE-125)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-9076 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.