HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42765Published Modified CNA openssl

CVE-2026-42765: NULL Dereference in Certificate Verification with OCSP Checking

Issue summary: When a partial-chain certificate verification is enabled together with OCSP response checking for the whole chain, a NULL dereference will happen if the verified chain does not have a self-signed trusted anchor, crashing the process. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When performing OCSP response checking for certificates in the verification chain, the code always tries to access the next certificate as the issuer. There is a check for a self-signed certificate. However with the partial chain verification enabled when the chain does not have a self-signed trusted anchor, the issuer will be NULL for the last certificate in the chain. A NULL pointer dereference then happens. This issue affects only applications which enable both OCSP verification of the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial chain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate verification. Both flags are disabled by default. For that reason, we have assigned Low severity to the issue. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
3.6.3
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A NULL pointer dereference in OpenSSL's certificate verification logic crashes any process that enables both OCSP chain-response checking (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial-chain verification (X509_V_FLAG_PARTIAL_CHAIN) when the verified chain lacks a self-signed trust anchor. The flaw is reachable over the network by an unauthenticated attacker and requires no user interaction, making it exploitable by sending a crafted certificate chain to an affected service. Successful exploitation crashes the target process, causing a denial of service. Patched-image rebuilds at OpenSSL 3.6.3 and 4.0.1 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that vendor OpenSSL directly. Any image layer containing an affected OpenSSL version is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 7.5 (HIGH) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org. Triage findings are routed to the configured team inbox, distinguishing between images where both triggering flags are plausibly in use and those where neither flag is enabled by default.

Available
Patch

A patched-image rebuild at OpenSSL 3.6.3 or 4.0.1 becomes available in HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable code path is reachable over the network: an attacker can trigger it by presenting a crafted certificate chain to any exposed service that performs the affected verification.

  • AuthenticationNot required

    No credentials or account are needed; the attacker only needs to initiate a TLS or certificate-verification handshake with the target service.

  • Victim interactionNot required

    No user or operator action is required; the crash is triggered by the incoming certificate chain during normal protocol processing.

  • Attack complexityDetail

    Attack complexity is low: the exploit is reliable and condition-free, requiring only that the target application has both X509_V_FLAG_OCSP_RESP_CHECK_ALL and X509_V_FLAG_PARTIAL_CHAIN enabled, which is non-default but a fixed configuration state.

Blast Radius

  • Crashes the OpenSSL-using process immediately upon processing a crafted certificate chain, taking down any service that depends on it.
  • Brings the affected service completely offline for the duration of the crash, denying access to all clients connecting to that endpoint.
  • No confidential data is read and no data is modified; impact is limited entirely to availability.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication against all images in customer registries and build pipelines, including images that bundle OpenSSL as a vendored dependency. For environments running OpenSSL 3.6.0 through 3.6.2 or 4.0.0, a rebuild at the patched version (3.6.3 or 4.0.1) is available. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically; for high-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Because both triggering flags (X509_V_FLAG_OCSP_RESP_CHECK_ALL and X509_V_FLAG_PARTIAL_CHAIN) are disabled by default, customers who cannot patch immediately can apply a compensating control by auditing application startup configuration to confirm neither flag is set, and by isolating certificate-validation endpoints behind network policy to reduce the population of sources that can present crafted chains.

See how HarborGuard automates this

Fix available

3.6.34.0.1
Patch commits
Affected packages
  • OpenSSL / OpenSSL
    < 4.0.1 (from 4.0.0) · < 3.6.3 (from 3.6.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References