{ "affected": [ { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.22", "name": "openssl", "purl": "pkg:apk/alpine/openssl?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.5.7-r0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.23", "name": "openssl", "purl": "pkg:apk/alpine/openssl?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.5.7-r0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": {}, "package": { "ecosystem": "Alpine:v3.24", "name": "openssl", "purl": "pkg:apk/alpine/openssl?arch=source" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.5.7-r0" } ], "type": "ECOSYSTEM" } ] } ], "details": "Issue Summary: The PKCS#12 file processing fails to perform sufficient input\nvalidation for files that use Password-Based Message Authentication Code 1\n(PBMAC1) integrity mechanism allowing a certificate and private key forgery.\n\nImpact Summary: An attacker impersonating a user can cause a service reading\nPKCS#12 files to accept forged certificates and private keys with a 1 in 256\nprobability.\n\nIf a service accepting PKCS#12 files is using passwords for authenticating\nthe received files, the attacker can create unencrypted PKCS#12 files that\nuse PBMAC1 authentication that specifies an HMAC key of only one byte, allowing\nthem to craft a file that will be accepted with a 1 in 256 probability.\nThat would then cause the service to accept a certificate and private key\ncontrolled by the attacker.\n\nThe FIPS modules are not affected by this issue, as the affected code is\noutside the OpenSSL FIPS module boundary.", "id": "ALPINE-CVE-2026-34181", "modified": "2026-06-15T18:18:11.202252174Z", "published": "2026-06-09T17:17:04.740Z", "references": [ { "type": "ADVISORY", "url": "https://security.alpinelinux.org/vuln/CVE-2026-34181" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "type": "CVSS_V3" } ], "upstream": [ "CVE-2026-34181" ] }