What is CVE-2026-22796?

A medium-severity type confusion vulnerability in OpenSSL affects signature verification of PKCS#7 data, potentially leading to Denial of Service. Organizations should prioritize mitigation efforts.

What is the severity of CVE-2026-22796?

CVE-2026-22796 has a severity rating of MEDIUM with a CVSS base score of 5.3.

CVE-2026-22796 | Medium Vulnerability in OpenSSL

CVE-2026-22796 is classified as a type confusion vulnerability in OpenSSL, specifically affecting the signature verification process of signed PKCS#7 data. This vulnerability arises when an ASN1_TYPE union member is accessed without validating its type, resulting in the potential for an invalid or NULL pointer dereference when processing malformed PKCS#7 data. With a CVSS score of 5.3, this vulnerability is considered medium in severity.

The exploitation of this vulnerability can lead to a Denial of Service (DoS) condition. Applications that perform signature verification of PKCS#7 data or directly invoke the PKCS7_digest_from_attributes() function are at risk. When the type of the message digest attribute is not validated, it may cause the application to access invalid memory, leading to a crash.

To successfully exploit this vulnerability, an attacker must supply a malformed signed PKCS#7 message to an application that performs verification. However, the impact of this vulnerability is limited to DoS, and it is worth noting that the PKCS7 API is considered legacy; applications are encouraged to utilize the CMS API instead.

It is important to highlight that the FIPS modules in versions 3.5, 3.4, 3.3, and 3.0 are not affected by this issue, as the parsing implementation for PKCS#7 falls outside the FIPS module boundary. The affected versions include OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, and 1.0.2.

Vulnerability Details

The vulnerability, CVE-2026-22796, occurs due to a type confusion in the signature verification process of PKCS#7 data. It has a CVSS score of 5.3, indicating a medium severity. The affected components and vendor are OpenSSL, specifically all versions prior to the vendor patch.

Technical Analysis

The root cause of this vulnerability lies in the improper validation of ASN1_TYPE union members during the signature verification process. The attack vector is network-based, which means an attacker can exploit this vulnerability remotely. The complexity of the attack is low, as it does not require any special privileges or user interaction. The impact on availability is low, as it can cause a Denial of Service, while confidentiality and integrity impacts are non-existent.

Risk & Impact Analysis

Organizations utilizing affected versions of OpenSSL need to consider the risk associated with this vulnerability. The potential for a Denial of Service attack could disrupt services, leading to downtime and associated costs. Given the medium severity rating, organizations should address this vulnerability in their patch management cycle. The blast radius is limited to applications relying on PKCS#7 signature verification.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The following OpenSSL versions are affected by this vulnerability: 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, and 1.0.2. Organizations should ensure they are running patched versions to mitigate this risk.

Mitigation & Remediation

To mitigate this vulnerability, organizations should apply the latest patches for OpenSSL. Regular updates are crucial for maintaining security. If a patch is unavailable, consider using configuration hardening and network controls to limit exposure. For more information, organizations can refer to the application security assessment services to identify potential risks.

Detection Guidance

Organizations should monitor logs for indicators of exploitation attempts related to PKCS#7 data verification. Look for unusual application crashes or service interruptions that coincide with PKCS#7 processing. Behavioral anomalies in applications using OpenSSL can also indicate exploitation.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-22796 reflects ongoing vulnerabilities in legacy systems like PKCS#7. Security teams should prioritize transitioning to more secure APIs, such as CMS, to prevent similar issues in the future. Monitoring for vulnerabilities in widely-used libraries like OpenSSL is essential for proactive defense. For more insights on security strategies, consider exploring our penetration testing methodology and vulnerability management program design resources.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-22796: Medium Vulnerability in OpenSSL