Improper Verification of Cryptographic Signature Affecting openssl-static package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS6-OPENSSLSTATIC-17309827
- published11 Jun 2026
- disclosed9 Jun 2026
Introduced: 9 Jun 2026
NewCVE-2026-45446 (opens in a new tab)How to fix?
There is no fixed version for Centos:6 openssl-static.
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl-static package and not the openssl-static package as distributed by Centos.
See How to fix? for Centos:6 relevant fixed versions and status.
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages.
Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers.
AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD
modes: they accept a key, nonce, optional AAD (bytes that are authenticated
but not encrypted), and plaintext, and produces ciphertext plus a 16-byte
tag. On decrypt, EVP_DecryptFinal_ex() is documented to return success only
if the tag is verified succesfully.
In OpenSSL's provider implementation of these ciphers, the expected tag is
computed only when decryption function is invoked with non-empty data.
If the caller supplies AAD and then calls EVP_DecryptFinal_ex() without
invocation of the ciphertext update, which can happen when the received
ciphertext length is zero, the tag is never recalculated and still holds its
all-zeros value.
When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key.
AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2.
No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives.
The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.
References
- https://access.redhat.com/security/cve/CVE-2026-45446
- https://github.com/openssl/security/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc
- https://github.com/openssl/security/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3
- https://github.com/openssl/security/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85
- https://github.com/openssl/security/commit/daca0f48e4a69a2892a62262bad59e62a8a76598
- https://github.com/openssl/security/commit/eec5e9bf0d867333b8495e456f5235d225798a68
- https://openssl-library.org/news/secadv/20260609.txt
- https://github.com/openssl/openssl/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc
- https://github.com/openssl/openssl/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3
- https://github.com/openssl/openssl/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85
- https://github.com/openssl/openssl/commit/daca0f48e4a69a2892a62262bad59e62a8a76598
- https://github.com/openssl/openssl/commit/eec5e9bf0d867333b8495e456f5235d225798a68