CVE-2026-45447: Heap Use-After-Free in the OpenSSL PKCS7_verify() Function

19 points by hoistbypetard

cadey

Obligatory "No way to prevent this" say users of only language where this regularly happens

This one is worth an immediate patch.

By my read, the function in question can be triggered by a malicious TLS server before its certificate is verified, if authorityInformationAccess is being processed, depending on how the library is configured. (And pre-verification in general for applications that are directly using the PKCS7 API.)

Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected.

If you think your application is using the CMS APIs, check very carefully. I'm sure I'm aware of code I've written that's still being run which didn't ever migrate to the newer APIs, even though it's been updated recently enough that one might reasonably expect that.

hanno

PKCS #7 should not be used in any way in a TLS server. It's the underlying standard for cryptographic message syntax, aka S/MIME encrypted e-mail.

The most likely attack surface is probably in e-mail applications that parse S/MIME mails automatically.
- hoistbypetard
  
  While you're very much correct about the usual use of the PKCS#7 cryptographic message syntax (and its IETF-standardized successor), also correct that the TLS protocol doesn't use that syntax directly, and also correct about the most likely attack surface, you're overlooking a space where the syntax is used.
  
  When a TLS client connects to a TLS server, we almost always use an X.509 certificate to identify the server and occasionally also use one to identify the client.
  
  When processing the peer X.509 certificate, you usually need to build and validate a certification path in order to be sure you trust that your peer is who it claims to be. (There are ways to do this without certification path processing, to be sure, but that's even less common than using client-side certificates.)
  
  When you're building and validating a certification path, you can choose to use certain certificate extensions that are included by the issuer to help you discover a path you trust. The one that I know offhand uses the PKCS#7 CMS is Authority Information Access. When processing the content of this extension, I expect (but have not confirmed) that PKCS7_verify() could be called.
  
  I'd be surprised if this ever happened in a server. I'd expect clients to sometimes be configured so that it does, particularly clients that verify paths using cross-certificates. Chasing down cross-certificates to build and validate a path is only common in certain environments, but if you're in one, you really want to patch.