CVE-2026-45447— Heap Use-After-Free in the PKCS7_verify() Function
In-the-Wild Activity Observed github_trending · low
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45447
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Heap Use-After-Free in the PKCS7_verify() Function
Source: NVD (National Vulnerability Database)
Vulnerability Description
Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
释放后使用
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenSSL 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenSSL是OpenSSL团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL存在资源管理错误漏洞,该漏洞源于处理特制PKCS#7或S/MIME签名消息时,在PKCS#7签名验证过程中可能触发释放后重用,可能导致进程崩溃、堆损坏或远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45447
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45447
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-45447 (5)
Vendor Advisories for CVE-2026-45447 (1)
Same Patch Batch · OpenSSL · 2026-06-09 · 18 CVEs total
| CVE-2026-45445 | AES-OCB IV Ignored on EVP_Cipher() Path | |
| CVE-2026-34183 | Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler | |
| CVE-2026-34181 | PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys | |
| CVE-2026-34180 | Heap Buffer Over-read in ASN.1 Content Parsing | |
| CVE-2026-34182 | CMS AuthEnvelopedData Processing May Accept Forged Messages | |
| CVE-2026-9076 | Out-of-Bounds Read in CMS Password-Based Decryption | |
| CVE-2026-35188 | Double-free When Checking OCSP Stapled Response | |
| CVE-2026-7383 | Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion | |
| CVE-2026-45446 | Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes | |
| CVE-2026-42771 | Possible Out of Bounds Read in X509_VERIFY_PARAM_set1_email() | |
| CVE-2026-42768 | Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() | |
| CVE-2026-42769 | Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate | |
| CVE-2026-42767 | NULL Pointer Dereference in CRMF EncryptedValue Decryption | |
| CVE-2026-42766 | Possible NULL Dereference in Password-Based CMS Decryption | |
| CVE-2026-42764 | NULL Pointer Dereference in QUIC Server Initial Packet Handling | |
| CVE-2026-42770 | FFC-DH Peer Validation Uses Attacker-Supplied q | |
| CVE-2026-42765 | NULL Dereference in Certificate Verification with OCSP Checking |
IV. Related Vulnerabilities
Same product: OpenSSL
- CVE-2026-45446
Incorrect Tag Processing for Empty Messages in AES-GCM-SIV a - CVE-2026-45445
AES-OCB IV Ignored on EVP_Cipher() Path - CVE-2026-42771
Possible Out of Bounds Read in X509_VERIFY_PARAM_set1_email( - CVE-2026-42770
FFC-DH Peer Validation Uses Attacker-Supplied q - CVE-2026-42769
Trust-Anchor Substitution via cert/issuer Typo in CMP rootCa
Same vendor: OpenSSL
- CVE-2026-45446
Incorrect Tag Processing for Empty Messages in AES-GCM-SIV a - CVE-2026-42771
Possible Out of Bounds Read in X509_VERIFY_PARAM_set1_email( - CVE-2026-45445
AES-OCB IV Ignored on EVP_Cipher() Path - CVE-2026-42770
FFC-DH Peer Validation Uses Attacker-Supplied q - CVE-2026-42769
Trust-Anchor Substitution via cert/issuer Typo in CMP rootCa
Same weakness: CWE-416
- CVE-2026-12706
Ffmpeg: ffmpeg: heap use-after-free read in rasc decoder dec - CVE-2026-11941
Use-after-free in connection ID iterator and FFI functions - CVE-2026-41156
GPU DDK - kernel<->fw CCB contains SYNC_PRIMITIVE_BLOCK firm - CVE-2026-34192
GPU DDK - _MMU_AllocLevel error recovery paths leave danglin - CVE-2026-56131
libexpat < 2.8.2 存在Use-After-Free漏洞
V. Comments for CVE-2026-45447
No comments yet