Improper Verification of Cryptographic Signature The advisory has been revoked - it doesn't affect any version of package shim-ia32  (opens in a new tab)


Threat Intelligence

EPSS
0.2% (10th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS8-SHIMIA32-17309505
  • published11 Jun 2026
  • disclosed9 Jun 2026

Introduced: 9 Jun 2026

NewCVE-2026-34181  (opens in a new tab)
CWE-347  (opens in a new tab)

Amendment

The Centos security team deemed this advisory irrelevant for Centos:8.

NVD Description

Note: Versions mentioned in the description apply only to the upstream shim-ia32 package and not the shim-ia32 package as distributed by Centos.

Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery.

Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability.

If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker.

The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.