—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in OpenSSL

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: MEDIUM

Software Affected

OpenSSL version 4.0

OpenSSL version 3.6

OpenSSL version 3.5

OpenSSL version 3.4

OpenSSL version 3.0

OpenSSL version 1.1.1

OpenSSL version 1.0.2

Overview

Multiple vulnerabilities have been reported in OpenSSL, which could allow an attacker to execute malicious code, execute arbitrary code, cause denial of service and bypass integrity protections on the targeted system.

Target Audience:

All end-user organizations and individuals using OpenSSL.

Risk Assessment:

High risk of system compromise and service disruptions.

Impact Assessment:

Potential for remote code execution, integrity bypass and/or denial of service.

Description

OpenSSL is a free and open-source software for general-purpose cryptography and secure communication. It provides a robust, full-featured toolkit for implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

Multiple vulnerabilities exist in OpenSSL due to improper memory management, insufficient input validation, cryptographic implementation flaws, authentication bypass conditions, certificate validation errors, denial-of-service weaknesses, and protocol processing issues in components such as PKCS#7, CMS, QUIC, OCSP, ASN.1, CMP, PKCS#12, and various cryptographic APIs. An attacker could exploit these vulnerabilities to trigger double-free errors, heap buffer overflows, heap buffer over-reads, NULL pointer dereferences, authentication bypasses, message forgery, cryptographic key recovery attacks, certificate forgery, trust-anchor substitution, Bleichenbacher-style oracle attacks, memory exhaustion, and denial-of-service conditions on the targeted system.

Successful exploitation of these vulnerabilities could allow an attacker to execute malicious code, execute arbitrary code, cause denial of service and bypass integrity protections on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://openssl-library.org/news/secadv/20260609.txt

Vendor Information

OpenSSL

https://openssl-library.org/news/vulnerabilities/

References

 

https://openssl-library.org/news/secadv/20260609.txt

CVE Name

CVE-2026-34182

CVE-2026-34183

CVE-2026-35188

CVE-2026-42764

CVE-2026-45445

CVE-2026-7383

CVE-2026-9076

CVE-2026-34180

CVE-2026-34181

CVE-2026-42765

CVE-2026-42766

CVE-2026-42767

CVE-2026-42768

CVE-2026-42769

CVE-2026-42770

CVE-2026-42771

CVE-2026-45446

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmowEWIACgkQ3jCgcSdc

ys+RPBAApiXRPGNzkB9fOECT0ronL3A41IAddIXQIetVsp4XMBRqPL8V3sPMOMvr

aJYzi9wXl1zAV27Glb6jhy7kwwcQT/FW7Mrtv6Rb7IJ37AIqq+w86j17W5vfsaPV

BzvFVzhJ/9/v9tOP+ETvGAswrpuoYFUvttg1YmIy42jd65girwYQNicuIJU6X9D5

ftPtE8Ma5kUBxA366Pa6f5bniJa6jkuemCImnkD/lB7p5ejxs8Sc3FyEcyXLqhb7

G2Tj5tw/WFpU+6AnPrp+xsCt8PMh5CCpS8vZwqE3aT3X633V4gVLmCuq0b+IRTW4

79Vp93N2VZ5Ogz+0RxLnmolngIseGqxYy/1Kyvx7kK2VhvCcYVtdUZS2WGAcNHCz

3DPAOkqxqCfGjTHiL2wu4VvxmaTLVvz6WZ+DgPjdE9cgz+iYRAusTQ3Qw/VwTDs8

x0h1Img2KHN2FIpMy+My9e1ETHJtvI3IPU3CzZGLAtYq2gIXRDeZlQ+jnIIrlLYX

Hgov+CoP5AUZWwf9kBr2FsXlSC/OMm8C40zCz8gmw8+VEKAoaDf9DrFGo+acKbRZ

pePMpsEHWTCww2RNmjTY0/NCgU01UjLYThNp4n5hPvoBmiqf2vWolI4rnCeoVSQs

Kv4ue8ASpnVbW+h+Tt1gIKRhMlFVZ0pBMnHQ41NhDnsjUJ4jTBw=

=G7wU

—–END PGP SIGNATURE—–