CVE-2026-45446— Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45446
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes
Source: NVD (National Vulnerability Database)
Vulnerability Description
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
缺少必要的密码学步骤
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenSSL 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenSSL是OpenSSL团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL存在安全漏洞,该漏洞源于AES-SIV和AES-GCM-SIV实现错误处理空密文时的AAD认证,允许攻击者伪造具有任意AAD的空消息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45446
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45446
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-45446 (5)
Vendor Advisories for CVE-2026-45446 (1)
Same Patch Batch · OpenSSL · 2026-06-09 · 18 CVEs total
| CVE-2026-45447 | Heap Use-After-Free in the PKCS7_verify() Function | |
| CVE-2026-34183 | Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler | |
| CVE-2026-34181 | PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys | |
| CVE-2026-34180 | Heap Buffer Over-read in ASN.1 Content Parsing | |
| CVE-2026-34182 | CMS AuthEnvelopedData Processing May Accept Forged Messages | |
| CVE-2026-9076 | Out-of-Bounds Read in CMS Password-Based Decryption | |
| CVE-2026-35188 | Double-free When Checking OCSP Stapled Response | |
| CVE-2026-7383 | Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion | |
| CVE-2026-45445 | AES-OCB IV Ignored on EVP_Cipher() Path | |
| CVE-2026-42771 | Possible Out of Bounds Read in X509_VERIFY_PARAM_set1_email() | |
| CVE-2026-42768 | Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() | |
| CVE-2026-42769 | Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate | |
| CVE-2026-42767 | NULL Pointer Dereference in CRMF EncryptedValue Decryption | |
| CVE-2026-42766 | Possible NULL Dereference in Password-Based CMS Decryption | |
| CVE-2026-42764 | NULL Pointer Dereference in QUIC Server Initial Packet Handling | |
| CVE-2026-42770 | FFC-DH Peer Validation Uses Attacker-Supplied q | |
| CVE-2026-42765 | NULL Dereference in Certificate Verification with OCSP Checking |
IV. Related Vulnerabilities
Same product: OpenSSL
- CVE-2026-45447
Heap Use-After-Free in the PKCS7_verify() Function - CVE-2026-45445
AES-OCB IV Ignored on EVP_Cipher() Path - CVE-2026-42771
Possible Out of Bounds Read in X509_VERIFY_PARAM_set1_email( - CVE-2026-42770
FFC-DH Peer Validation Uses Attacker-Supplied q - CVE-2026-42769
Trust-Anchor Substitution via cert/issuer Typo in CMP rootCa
Same vendor: OpenSSL
- CVE-2026-45447
Heap Use-After-Free in the PKCS7_verify() Function - CVE-2026-42771
Possible Out of Bounds Read in X509_VERIFY_PARAM_set1_email( - CVE-2026-45445
AES-OCB IV Ignored on EVP_Cipher() Path - CVE-2026-42770
FFC-DH Peer Validation Uses Attacker-Supplied q - CVE-2026-42769
Trust-Anchor Substitution via cert/issuer Typo in CMP rootCa
Same weakness: CWE-325
V. Comments for CVE-2026-45446
No comments yet