CVE-2026-9076: Out-of-Bounds Read in CMS Password-Based Decryption
Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.0.2zq
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An out-of-bounds heap read in OpenSSL's CMS password-based decryption (the PWRI key-unwrap routine, kek_unwrap_key()) allows a network attacker to submit crafted CMS data that selects a stream-mode cipher where a block cipher is expected, causing the unwrap code to read a few bytes past the end of a heap allocation. No authentication is needed and no password knowledge is required because the over-read happens before any credential check. Successful exploitation crashes the affected application, resulting in denial of service; there is no data disclosure. Patched-image rebuilds at versions 1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, and 3.5.7 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-9076 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the OpenSSL CNA) within minutes of publication and matched against all customer images, including custom-built images that bundle an affected OpenSSL version.
AvailableHarborGuard scores this issue at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and can apply per-environment compliance policy weighting to adjust priority before routing findings to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild at the applicable fix version (1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, or 3.5.7 depending on the OpenSSL branch in use) becomes available on HarborGuard once the upstream package is published. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes regression tests, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker submits malicious CMS data over the network to any application calling CMS_decrypt() or CMS_decrypt_set1_password() on untrusted input.
- AuthenticationNot required
No credentials or password knowledge are required; the heap over-read occurs during the key-unwrap attempt before any authentication check.
- Victim interactionNot required
No user action is needed; the application processes the attacker-supplied CMS data automatically upon receipt.
- Attack complexityDetail
The exploit is straightforward and condition-free: the attacker simply supplies a CMS payload referencing a stream-mode cipher OID; no race conditions or environmental constraints are needed.
Blast Radius
- Crashes the process handling CMS decryption, taking down any service that calls CMS_decrypt() or CMS_decrypt_set1_password() on untrusted data.
- No data is read out by the attacker; the over-read bytes are consumed internally and not reflected in any response.
- Impact is limited to availability; confidentiality and integrity of stored data are not affected by this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: scanning for CVE-2026-9076 runs against all registered images immediately after CVE ingestion, flagging any image whose OpenSSL package falls below the applicable fix version (1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, or 3.5.7). For customers who opt into auto-remediation, HarborGuard can trigger a base-image rebuild pinned to the patched OpenSSL version, run a regression test suite against the rebuilt image, and open a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS scoring and policy-weighted priority attached. Because the FIPS modules are not affected, images using only FIPS-validated paths can be annotated as out-of-scope by configuring the appropriate compliance policy rule in HarborGuard.
Fix available
- OpenSSL / OpenSSL< 4.0.1 (from 4.0.0) · < 3.6.3 (from 3.6.0) · < 3.5.7 (from 3.5.0) · < 3.4.6 (from 3.4.0) · < 3.0.21 (from 3.0.0) · < 1.1.1zh (from 1.1.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H