CVE & CISA-KEV Catalog

CVE-2026-42767

MEDIUM
5.9
CVSS v3
NVD

Description

Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

How to fix

Remediation Available
opensslDebian
Fixed in:3.5.6-1~deb13u2CVE-2026-42767
Fixed in:3.6.3-1CVE-2026-42767
opensslRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
opensslRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-debuginfoRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-debuginfoRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-debugsourceRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-debugsourceRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-develRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-develRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-libsRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-libsRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-libs-debuginfoRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-libs-debuginfoRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-perlRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-perlRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
registry.redhat.io/discovery/discoveryRed Hat / RHEL
Fixed in:ui-rhel9@sha256:335f5d49155804969d193c3104fd144d7e499e2d5433965b217f379cbcf1cc75_arm64RHSA-2026:29197
Fixed in:server-rhel9@sha256:6a26bc89c61e7fad594399ceda8e170d66fa241d818eada7a12d9fec6bb08ecc_amd64RHSA-2026:29197
Fixed in:server-rhel9@sha256:ccd969d2710875e82896556e7b3c02e39147d03612452af6b0a916b656ce5b34_arm64RHSA-2026:29197
Fixed in:ui-rhel9@sha256:16b33ed961e598805d155db8fea7bb293fb8ef95ddd45169c61fbeb5a8944b6b_amd64RHSA-2026:29197
registry.redhat.io/discovery/discoveryRocky
Fixed in:server-rhel9@sha256:6a26bc89c61e7fad594399ceda8e170d66fa241d818eada7a12d9fec6bb08ecc_amd64RHSA-2026:29197
Fixed in:ui-rhel9@sha256:16b33ed961e598805d155db8fea7bb293fb8ef95ddd45169c61fbeb5a8944b6b_amd64RHSA-2026:29197
Fixed in:ui-rhel9@sha256:335f5d49155804969d193c3104fd144d7e499e2d5433965b217f379cbcf1cc75_arm64RHSA-2026:29197
Fixed in:server-rhel9@sha256:ccd969d2710875e82896556e7b3c02e39147d03612452af6b0a916b656ce5b34_arm64RHSA-2026:29197
registry.redhat.io/rhui5/cdsRed Hat / RHEL
Fixed in:rhel9@sha256:5c18f8336186fb1c9dbc1e710e91420ca3f5eca92b081cace3325585789f4825_amd64RHSA-2026:26319
Fixed in:kubernetes-rhel9@sha256:2958104c085c46561c9453784a06a36ab12a27e21ba1e732b4b30a092bb58805_amd64RHSA-2026:26319
registry.redhat.io/rhui5/cdsRocky
Fixed in:kubernetes-rhel9@sha256:2958104c085c46561c9453784a06a36ab12a27e21ba1e732b4b30a092bb58805_amd64RHSA-2026:26319
Fixed in:rhel9@sha256:5c18f8336186fb1c9dbc1e710e91420ca3f5eca92b081cace3325585789f4825_amd64RHSA-2026:26319
registry.redhat.io/rhui5/haproxyRed Hat / RHEL
Fixed in:rhel9@sha256:66ccfb245bd6461e49aa0c84742710b557b9924baaef38e02904c6fd2f8db0c5_amd64RHSA-2026:26319
registry.redhat.io/rhui5/haproxyRocky
Fixed in:rhel9@sha256:66ccfb245bd6461e49aa0c84742710b557b9924baaef38e02904c6fd2f8db0c5_amd64RHSA-2026:26319
registry.redhat.io/rhui5/installerRed Hat / RHEL
Fixed in:rhel9@sha256:4b793b24511377dd18beae2f85792e8b2af0c615837155137a62f65e171ca0d7_amd64RHSA-2026:26319
registry.redhat.io/rhui5/installerRocky
Fixed in:rhel9@sha256:4b793b24511377dd18beae2f85792e8b2af0c615837155137a62f65e171ca0d7_amd64RHSA-2026:26319
registry.redhat.io/rhui5/rhuaRed Hat / RHEL
Fixed in:rhel9@sha256:a79dde325d7229002a36a0a8ad75ae8c25e96004a9e5f0b90c51fc335460dccf_amd64RHSA-2026:26319
registry.redhat.io/rhui5/rhuaRocky
Fixed in:rhel9@sha256:a79dde325d7229002a36a0a8ad75ae8c25e96004a9e5f0b90c51fc335460dccf_amd64RHSA-2026:26319
libssl3Ubuntu
Fixed in:3.0.2-0ubuntu1.25USN-8414-1
libssl3t64Ubuntu
Fixed in:3.0.13-0ubuntu3.11USN-8414-1
Fixed in:3.5.3-1ubuntu3.4USN-8414-1
opensslUbuntu
Fixed in:3.0.2-0ubuntu1.25USN-8414-1
Fixed in:3.0.13-0ubuntu3.11USN-8414-1
Fixed in:3.5.3-1ubuntu3.4USN-8414-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityNone
AvailabilityHigh

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit Intelligence

0.35%probability of exploitation in 30 days
27thpercentile

Low risk: more likely to be exploited than 27% of all known CVEs.

References

Embed a live status badge for CVE-2026-42767
CVE-2026-42767 severity badge

Markdown

[![CVE-2026-42767](https://tridentstack.com/cve/badge/CVE-2026-42767.svg)](https://tridentstack.com/cve/CVE-2026-42767)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-42767"><img src="https://tridentstack.com/cve/badge/CVE-2026-42767.svg" alt="CVE-2026-42767"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-06-16.