GHSA-gxhg-7jx8-m22j · Severity: medium — Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger...
Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Conclusion & alert: CVE-2026-42767 is rated Low Risk (33/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.34%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.06% | 0.34% | +0.29% |
| 2 | 2026-06-10 | — | 0.06% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.9 | 3.1 | MEDIUM |
|
2.2 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-gxhg-7jx8-m22j · Severity: medium — Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2026-42767 unimportant priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. | https://security-tracker.debian.org/tracker/CVE-2026-42767 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2026-42767 |
suse
|
medium | CVE-2026-42767 severity moderate: SUSE including 36 source package names (compat-openssl098, libopenssl-1_0_0-devel, …), 239 product×package rows across 35 product lines (SUSE Liberty Linux 10, SUSE Liberty Linux 9, … (35 product lines)): Known Not Affected 231, Fixed 8. | https://www.suse.com/security/cve/CVE-2026-42767/ |
ubuntu
|
low | CVE-2026-42767 low priority: Ubuntu including 5 source packages (edk2, nodejs, openssl, openssl-fips, openssl1.0), 35 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): not-affected 14, DNE 8, needs-triage 8, released 4, needed 1. | https://ubuntu.com/security/CVE-2026-42767 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| openssl | openssl | >= 3.0.0, < 3.0.21 | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | >= 3.4.0, < 3.4.6 | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | >= 3.5.0, < 3.5.7 | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | >= 3.6.0, < 3.6.3 | cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* |
| openssl | openssl | 4.0.0 | cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:* |