{"schema_version": "1.7.0", "id": "RLSA-2026:25237", "modified": "2026-06-13T00:06:18.947449Z", "published": "2026-06-13T00:05:06.020189Z", "upstream": ["CVE-2026-34180", "CVE-2026-34181", "CVE-2026-34182", "CVE-2026-34183", "CVE-2026-42764", "CVE-2026-42766", "CVE-2026-42767", "CVE-2026-42768", "CVE-2026-42769", "CVE-2026-42770", "CVE-2026-45445", "CVE-2026-45446", "CVE-2026-45447", "CVE-2026-7383", "CVE-2026-9076"], "summary": "Important: openssl security update", "details": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.\n\nSecurity Fix(es):\n\n* openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode output sizing (CVE-2026-7383)\n\n* openssl: OpenSSL: Denial of Service due to heap out-of-bounds read in CMS password-based decryption (CVE-2026-9076)\n\n* openssl: OpenSSL: Heap buffer over-read in ASN.1 decoding can lead to denial of service or information disclosure. (CVE-2026-34180)\n\n* openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys (CVE-2026-34181)\n\n* openssl: CMS AuthEnvelopedData Processing May Accept Forged Messages (CVE-2026-34182)\n\n* openssl: Unbounded Memory Growth in the QUIC PATH_CHALLENGE Handler (CVE-2026-34183)\n\n* openssl: NULL pointer dereference in QUIC server initial packet handling (CVE-2026-42764)\n\n* openssl: Possible NULL Dereference in Password-Based CMS Decryption (CVE-2026-42766)\n\n* openssl: NULL Pointer Dereference in CRMF EncryptedValue Decryption (CVE-2026-42767)\n\n* openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt() (CVE-2026-42768)\n\n* openssl: Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate (CVE-2026-42769)\n\n* openssl: FFC-DH Peer Validation Uses Attacker-Supplied q (CVE-2026-42770)\n\n* openssl: AES-OCB IV Ignored on EVP_Cipher() Path (CVE-2026-45445)\n\n* openssl: Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes (CVE-2026-45446)\n\n* openssl: Heap Use-After-Free in OpenSSL PKCS7_verify() (CVE-2026-45447)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "severity": [{"type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}], "affected": [{"package": {"ecosystem": "Rocky Linux:10", "name": "openssl", "purl": "pkg:rpm/rocky-linux/openssl?distro=rocky-linux-10&epoch=1"}, "ranges": [{"type": "ECOSYSTEM", "events": [{"introduced": "0"}, {"fixed": "1:3.5.5-4.el10_2"}], "database_specific": {"yum_repository": "BaseOS"}}]}], "references": [{"type": "ADVISORY", "url": "https://errata.rockylinux.org/RLSA-2026:25237"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481897"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481890"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481892"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481880"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481882"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481891"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481881"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481879"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481884"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481894"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481885"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481898"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481896"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481893"}, {"type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481887"}], "credits": [{"name": "Rocky Enterprise Software Foundation"}, {"name": "Red Hat"}]}