CVE-2026-45447 – OpenSSL

CVSS 8.8 IMPORTANT High with EoP or RCE – Expedited Deployment

“A signed message should verify trust, not create an opportunity for memory corruption.”

OpenSSL patched CVE-2026-45447, a use-after-free vulnerability affecting PKCS#7 and S/MIME signature verification. A specially crafted signed message can trigger incorrect handling of a caller-owned BIO during PKCS7_verify(), leading to a use-after-free condition. The CVSS score is 8.8, which is High severity.

Successful exploitation may result in application crashes, heap corruption, or potentially remote code execution depending on application behavior and memory allocation conditions. Applications using OpenSSL PKCS#7 APIs are affected, while applications using CMS APIs are not. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.

Key Details

Affected Product
Openssl Openssl
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-416
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.