OpenSSL shipped a patch on 9 June 2026 for a heap use-after-free in its legacy PKCS#7 API. The bug, tracked as CVE-2026-45447, sits in PKCS7_verify(), the function that checks PKCS#7 signatures and S/MIME messages. It was one of the first OpenSSL flaws surfaced with help from AI tooling during a code review.
What goes wrong
PKCS7_verify() takes a BIO object from the calling program and writes verified content into it. When it processes a signed message whose SignedData digestAlgorithms field is encoded as an empty ASN.1 SET, OpenSSL frees that BIO by mistake, even though ownership still belongs to the caller. Any later access to the now-freed BIO by the application is a use-after-free (CWE-416).
What happens next depends on the memory allocator and on how the application touches the BIO afterwards. In the mild case the process crashes. In the worst case you get heap corruption and, in some scenarios, remote code execution.
Who is affected
The flaw lives in the legacy PKCS#7 API. The attack surface is any program that calls PKCS7_verify() on input it receives from an external source. Mail clients and MTAs that validate S/MIME signatures are the primary exposure, since the signed message itself is the payload. No authentication or user interaction is needed beyond processing the message.
Affected versions span almost every live OpenSSL branch:
- 4.0.0 (fixed in 4.0.1)
- 3.6.0 through 3.6.2 (fixed in 3.6.3)
- 3.5.0 through 3.5.6 (fixed in 3.5.7)
- 3.4.0 through 3.4.5 (fixed in 3.4.6)
- 3.0.0 through 3.0.20 (fixed in 3.0.21)
- 1.1.1 through 1.1.1zg (1.1.1zh, premium support only)
- 1.0.2 through 1.0.2zp (1.0.2zq, premium support only)
Severity
The assigned CVSS v3.1 score is 9.8: network vector, low complexity, no privileges, no interaction. That is the top “critical” band, with one caveat worth keeping in mind. Whether the bug ends in code execution depends heavily on how the application handles the BIO after the call. Plenty of programs will simply crash. Even so, it is not something to leave unpatched, especially on mail servers that process S/MIME without a human in the loop.
Mitigation
Update the OpenSSL library to the patched release for your branch. On a Linux distribution this usually arrives as a system package update (openssl, libssl3 or equivalent), so applying security updates and restarting the services linked against the library is enough. Keep in mind that many services load OpenSSL once at startup, so a restart is required for them to pick up the fixed code.
If you maintain your own code, there is a way to sidestep the bug entirely: migrate from the legacy PKCS7_verify() API to OpenSSL’s CMS APIs, which are not affected. That has been the recommended path for handling signed messages for a while now.
Source
- SecurityWeek — OpenSSL Patches High-Severity Vulnerability Found With AI: https://www.securityweek.com/openssl-patches-high-severity-vulnerability-found-with-ai/
- NVD — CVE-2026-45447: https://nvd.nist.gov/vuln/detail/CVE-2026-45447