HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-34181Published Modified CNA openssl

CVE-2026-34181: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys

Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
3.4.6
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an input-validation vulnerability in OpenSSL's PKCS#12 file processing. The flaw is reachable over the network without authentication, but exploitation requires the attacker to win a 1-in-256 probability check per attempt, placing it in the high-complexity category. A successful attacker can cause a service to accept a forged certificate and private key, enabling identity impersonation and data tampering. Patched-image rebuilds at OpenSSL versions 3.4.6, 3.5.7, 3.6.3, and 4.0.1 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-34181 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle OpenSSL directly.

Available
Triage

HarborGuard scores this CVE at CVSS 7.4 (HIGH) and is capable of weighting that score against each environment's compliance policy to determine urgency; triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild targeting the applicable fix version (3.4.6, 3.5.7, 3.6.3, or 4.0.1 depending on the installed branch) becomes available on HarborGuard for any image found to carry an affected OpenSSL release. For customers who opt into auto-remediation, HarborGuard is capable of running the rebuild alongside a regression test suite and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable PKCS#12 parsing endpoint must be reachable over the network, so the attacker submits a crafted file to a remotely exposed service.

  • AuthenticationNot required

    No account or credential is needed before submitting the malicious PKCS#12 file; the attacker interacts with the service as an unauthenticated party.

  • Victim interactionNot required

    No user action is required; the vulnerability triggers when the service itself processes the attacker-supplied file.

  • Attack complexityDetail

    Exploitation is probabilistic rather than reliable: the attacker must win a 1-in-256 chance per attempt, which typically means repeated submissions until a crafted file is accepted, introducing a measurable environmental hurdle.

Blast Radius

  • The attacker injects a certificate and private key of their choosing, causing the target service to treat those credentials as legitimate.
  • Any identity or trust decision the service makes based on the accepted certificate is undermined, enabling impersonation of the certificate's stated subject.
  • Private key material supplied by the attacker can be used for subsequent decryption or signing operations performed by the service, extending the attacker's reach beyond the initial forgery.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34181 is active as soon as the advisory is ingested, and rebuilt images pinned to the appropriate fix branch (3.4.6, 3.5.7, 3.6.3, or 4.0.1) are made available for any image containing a vulnerable OpenSSL release. For customers who opt into auto-remediation, HarborGuard is capable of executing the full rebuild-and-PR flow; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, the rebuilt image is staged and a triage alert is routed to the designated owner for manual review and promotion. Note that OpenSSL FIPS module builds are not affected by this issue, so images exclusively using FIPS-boundary code do not require the rebuild.

See how HarborGuard automates this

Fix available

3.4.63.5.73.6.34.0.1
Patch commits
Affected packages
  • OpenSSL / OpenSSL
    < 4.0.1 (from 4.0.0) · < 3.6.3 (from 3.6.0) · < 3.5.7 (from 3.5.0) · < 3.4.6 (from 3.4.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References