HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45445Published Modified CNA openssl

CVE-2026-45445: AES-OCB IV Ignored on EVP_Cipher() Path

Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
3.0.21
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An IV-handling flaw in OpenSSL's AES-OCB implementation causes the EVP_Cipher() one-shot interface to silently discard the caller-supplied initialisation vector (IV), reusing the all-zero nonce on every encryption call under the same key. The vulnerability is remotely reachable with no authentication required, as any attacker positioned to intercept or inject ciphertext can exploit the resulting nonce reuse. Successful exploitation lets an attacker recover plaintext (full confidentiality loss) and forge authentication tags for arbitrary ciphertext, effectively nullifying the authenticated encryption guarantee. Patched-image rebuilds at OpenSSL versions 3.0.21, 3.4.6, 3.5.7, 3.6.3, and 4.0.1 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against OpenSSL packages in all customer registry images, including custom-built base images that bundle their own OpenSSL copy. The scanner identifies affected version ranges precisely, covering all four active release branches listed in the advisory.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and weights it against each environment's compliance policy to determine priority and routing. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at each fix version (3.0.21, 3.4.6, 3.5.7, 3.6.3, 4.0.1, matched to the branch in use) is available on HarborGuard for any environment running an affected OpenSSL version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the service over the network; AV:N means no local or physical access is needed to supply or intercept ciphertext encrypted under the broken IV path.

  • AuthenticationNot required

    No credentials or account are needed; PR:N means an unauthenticated attacker can submit or capture messages to exploit nonce reuse.

  • Victim interactionNot required

    No user action is required; UI:N means exploitation is entirely attacker-driven without any social engineering.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific preconditions beyond the vulnerable API path being in use.

Blast Radius

  • Reads plaintext of any message encrypted under a reused (key, all-zero nonce) pair, because nonce reuse in a stream cipher mode leaks the XOR of plaintexts when two ciphertexts are captured.
  • Forges a valid authentication tag for arbitrary ciphertext using a single captured (key, IV) message, bypassing the integrity and authenticity guarantee of AES-OCB entirely.
  • Any application-level protocol relying on AES-OCB for confidential or authenticated data transmission is exposed, including custom encrypted APIs and message queues that call EVP_Cipher() directly.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of publication for any image that packages an affected OpenSSL version (all 3.0.x before 3.0.21, 3.4.x before 3.4.6, 3.5.x before 3.5.7, 3.6.x before 3.6.3, and 4.0.0). A patched rebuild pinned to the correct fix version for the branch in use is available immediately. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a PR against affected workloads; median time to merged patch PR for high-severity issues is around 90 minutes. Note that only applications calling EVP_Cipher() directly with AES-OCB are vulnerable; the OpenSSL TLS stack and the streaming EVP_CipherUpdate path are unaffected, so triage should focus on images whose application code uses the one-shot EVP_Cipher() interface with AES-OCB. Where compliance policy permits, enabling auto-remediation on these images is the fastest path to closing the exposure.

See how HarborGuard automates this

Fix available

3.0.213.4.63.5.73.6.34.0.1
Patch commits
Affected packages
  • OpenSSL / OpenSSL
    < 4.0.1 (from 4.0.0) · < 3.6.3 (from 3.6.0) · < 3.5.7 (from 3.5.0) · < 3.4.6 (from 3.4.0) · < 3.0.21 (from 3.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References