CVE-2026-45447 – OpenSSL
“A signed message should verify trust, not create an opportunity for memory corruption.”
OpenSSL patched CVE-2026-45447, a use-after-free vulnerability affecting PKCS#7 and S/MIME signature verification. A specially crafted signed message can trigger incorrect handling of a caller-owned BIO during PKCS7_verify(), leading to a use-after-free condition. The CVSS score is 8.8, which is High severity.
Successful exploitation may result in application crashes, heap corruption, or potentially remote code execution depending on application behavior and memory allocation conditions. Applications using OpenSSL PKCS#7 APIs are affected, while applications using CMS APIs are not. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.
Key Details
- Affected Product
- Openssl Openssl
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- CWE Classification
- CWE-416