CVE & CISA-KEV Catalog

CVE-2026-42769

MEDIUM
5.3
CVSS v3
NVD

Description

Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

How to fix

Remediation Available
opensslDebian
Fixed in:3.5.6-1~deb13u2CVE-2026-42769
Fixed in:3.6.3-1CVE-2026-42769
opensslRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
opensslRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-debuginfoRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-debuginfoRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-debugsourceRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-debugsourceRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-develRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-develRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-libsRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-libsRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-libs-debuginfoRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-libs-debuginfoRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-perlRocky
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
openssl-perlRed Hat / RHEL
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el10_2RHSA-2026:25237
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
Fixed in:1:3.5.5-4.el9_8RHSA-2026:25239
registry.redhat.io/discovery/discoveryRed Hat / RHEL
Fixed in:server-rhel9@sha256:ccd969d2710875e82896556e7b3c02e39147d03612452af6b0a916b656ce5b34_arm64RHSA-2026:29197
Fixed in:server-rhel9@sha256:6a26bc89c61e7fad594399ceda8e170d66fa241d818eada7a12d9fec6bb08ecc_amd64RHSA-2026:29197
Fixed in:ui-rhel9@sha256:16b33ed961e598805d155db8fea7bb293fb8ef95ddd45169c61fbeb5a8944b6b_amd64RHSA-2026:29197
Fixed in:ui-rhel9@sha256:335f5d49155804969d193c3104fd144d7e499e2d5433965b217f379cbcf1cc75_arm64RHSA-2026:29197
registry.redhat.io/discovery/discoveryRocky
Fixed in:server-rhel9@sha256:6a26bc89c61e7fad594399ceda8e170d66fa241d818eada7a12d9fec6bb08ecc_amd64RHSA-2026:29197
Fixed in:ui-rhel9@sha256:16b33ed961e598805d155db8fea7bb293fb8ef95ddd45169c61fbeb5a8944b6b_amd64RHSA-2026:29197
Fixed in:server-rhel9@sha256:ccd969d2710875e82896556e7b3c02e39147d03612452af6b0a916b656ce5b34_arm64RHSA-2026:29197
Fixed in:ui-rhel9@sha256:335f5d49155804969d193c3104fd144d7e499e2d5433965b217f379cbcf1cc75_arm64RHSA-2026:29197
registry.redhat.io/rhui5/cdsRocky
Fixed in:kubernetes-rhel9@sha256:2958104c085c46561c9453784a06a36ab12a27e21ba1e732b4b30a092bb58805_amd64RHSA-2026:26319
Fixed in:rhel9@sha256:5c18f8336186fb1c9dbc1e710e91420ca3f5eca92b081cace3325585789f4825_amd64RHSA-2026:26319
registry.redhat.io/rhui5/cdsRed Hat / RHEL
Fixed in:rhel9@sha256:5c18f8336186fb1c9dbc1e710e91420ca3f5eca92b081cace3325585789f4825_amd64RHSA-2026:26319
Fixed in:kubernetes-rhel9@sha256:2958104c085c46561c9453784a06a36ab12a27e21ba1e732b4b30a092bb58805_amd64RHSA-2026:26319
registry.redhat.io/rhui5/haproxyRed Hat / RHEL
Fixed in:rhel9@sha256:66ccfb245bd6461e49aa0c84742710b557b9924baaef38e02904c6fd2f8db0c5_amd64RHSA-2026:26319
registry.redhat.io/rhui5/haproxyRocky
Fixed in:rhel9@sha256:66ccfb245bd6461e49aa0c84742710b557b9924baaef38e02904c6fd2f8db0c5_amd64RHSA-2026:26319
registry.redhat.io/rhui5/installerRed Hat / RHEL
Fixed in:rhel9@sha256:4b793b24511377dd18beae2f85792e8b2af0c615837155137a62f65e171ca0d7_amd64RHSA-2026:26319
registry.redhat.io/rhui5/installerRocky
Fixed in:rhel9@sha256:4b793b24511377dd18beae2f85792e8b2af0c615837155137a62f65e171ca0d7_amd64RHSA-2026:26319
registry.redhat.io/rhui5/rhuaRed Hat / RHEL
Fixed in:rhel9@sha256:a79dde325d7229002a36a0a8ad75ae8c25e96004a9e5f0b90c51fc335460dccf_amd64RHSA-2026:26319
registry.redhat.io/rhui5/rhuaRocky
Fixed in:rhel9@sha256:a79dde325d7229002a36a0a8ad75ae8c25e96004a9e5f0b90c51fc335460dccf_amd64RHSA-2026:26319
libssl3Ubuntu
Fixed in:3.0.2-0ubuntu1.25USN-8414-1
libssl3t64Ubuntu
Fixed in:3.0.13-0ubuntu3.11USN-8414-1
Fixed in:3.5.3-1ubuntu3.4USN-8414-1
opensslUbuntu
Fixed in:3.0.2-0ubuntu1.25USN-8414-1
Fixed in:3.0.13-0ubuntu3.11USN-8414-1
Fixed in:3.5.3-1ubuntu3.4USN-8414-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityNone
AvailabilityNone

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploit Intelligence

0.26%probability of exploitation in 30 days
18thpercentile

Low risk: more likely to be exploited than 18% of all known CVEs.

References

Embed a live status badge for CVE-2026-42769
CVE-2026-42769 severity badge

Markdown

[![CVE-2026-42769](https://tridentstack.com/cve/badge/CVE-2026-42769.svg)](https://tridentstack.com/cve/CVE-2026-42769)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-42769"><img src="https://tridentstack.com/cve/badge/CVE-2026-42769.svg" alt="CVE-2026-42769"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-06-15.