{"id":"CVE-2026-22795","details":"Issue summary: An invalid or NULL pointer dereference can happen in\nan application processing a malformed PKCS#12 file.\n\nImpact summary: An application processing a malformed PKCS#12 file can be\ncaused to dereference an invalid or NULL pointer on memory read, resulting\nin a Denial of Service.\n\nA type confusion vulnerability exists in PKCS#12 parsing code where\nan ASN1_TYPE union member is accessed without first validating the type,\ncausing an invalid pointer read.\n\nThe location is constrained to a 1-byte address space, meaning any\nattempted pointer manipulation can only target addresses between 0x00 and 0xFF.\nThis range corresponds to the zero page, which is unmapped on most modern\noperating systems and will reliably result in a crash, leading only to a\nDenial of Service. Exploiting this issue also requires a user or application\nto process a maliciously crafted PKCS#12 file. It is uncommon to accept\nuntrusted PKCS#12 files in applications as they are usually used to store\nprivate keys which are trusted by definition. For these reasons, the issue\nwas assessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.","modified":"2026-04-16T04:39:04.894264427Z","published":"2026-01-27T16:16:35.430Z","related":["ALSA-2026:1472","ALSA-2026:1473","CGA-wggh-4hqr-p82f","SUSE-SU-2026:0309-1","SUSE-SU-2026:0310-1","SUSE-SU-2026:0311-1","SUSE-SU-2026:0312-1","SUSE-SU-2026:0331-1","SUSE-SU-2026:0343-1","SUSE-SU-2026:0346-1","SUSE-SU-2026:0358-1","SUSE-SU-2026:0359-1","SUSE-SU-2026:0360-1","SUSE-SU-2026:20211-1","SUSE-SU-2026:20223-1","SUSE-SU-2026:20349-1","SUSE-SU-2026:20373-1","openSUSE-SU-2026:10237-1","openSUSE-SU-2026:20152-1"],"references":[{"type":"ADVISORY","url":"https://openssl-library.org/news/secadv/20260127.txt"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"fixed":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"introduced":"89cd17a031e022211684eb7eb41190cf1910f9fa"},{"fixed":"a22063cd69a077cc68bb4c10e9f351f75899b194"},{"introduced":"4cb31128b5790819dfeea2739fbde265f71a10a2"},{"fixed":"4601ff25acd6c2fe58a8bfe241e6c470e27b8074"},{"introduced":"98acb6b02839c609ef5b837794e08d906d965335"},{"fixed":"565bdcc41bbf89fcbaf962636469332689f0c9fd"},{"introduced":"636dfadc70ce26f2473870570bfd9ec352806b1d"},{"fixed":"67b5686b4419b4cb8caa502711c41815f5279751"},{"introduced":"7b371d80d959ec9ab4139d09d78e83c090de9779"},{"fixed":"c9a9e5b10105ad850b6e4d1122c645c67767c341"},{"fixed":"2502e7b7d4c0cf4f972a881641fe09edc67aeec4"},{"fixed":"572844beca95068394c916626a6d3a490f831a49"},{"fixed":"7bbca05be55b129651d9df4bdb92becc45002c12"},{"fixed":"eeee3cbd4d682095ed431052f00403004596373e"},{"fixed":"ef2fb66ec571564d64d1c74a12e388a2a54d05d2"}],"database_specific":{"versions":[{"introduced":"1.1.1"},{"fixed":"1.1.1ze"},{"introduced":"3.0.0"},{"fixed":"3.0.19"},{"introduced":"3.3.0"},{"fixed":"3.3.6"},{"introduced":"3.4.0"},{"fixed":"3.4.4"},{"introduced":"3.5.0"},{"fixed":"3.5.5"},{"introduced":"3.6.0"},{"fixed":"3.6.1"}]}}],"versions":["3.0-POST-CLANG-FORMAT-WEBKIT","3.0-PRE-CLANG-FORMAT-WEBKIT","3.3-POST-CLANG-FORMAT-WEBKIT","3.3-PRE-CLANG-FORMAT-WEBKIT","3.4-POST-CLANG-FORMAT-WEBKIT","3.4-PRE-CLANG-FORMAT-WEBKIT","3.5-POST-CLANG-FORMAT-WEBKIT","3.5-PRE-CLANG-FORMAT-WEBKIT","3.6-POST-CLANG-FORMAT-WEBKIT","3.6-PRE-CLANG-FORMAT-WEBKIT","openssl-3.0.0","openssl-3.0.1","openssl-3.0.10","openssl-3.0.11","openssl-3.0.12","openssl-3.0.13","openssl-3.0.14","openssl-3.0.15","openssl-3.0.16","openssl-3.0.17","openssl-3.0.18","openssl-3.0.2","openssl-3.0.3","openssl-3.0.4","openssl-3.0.5","openssl-3.0.6","openssl-3.0.7","openssl-3.0.8","openssl-3.0.9","openssl-3.3.0","openssl-3.3.1","openssl-3.3.2","openssl-3.3.3","openssl-3.3.4","openssl-3.3.5","openssl-3.4.0","openssl-3.4.1","openssl-3.4.2","openssl-3.4.3","openssl-3.5.0","openssl-3.5.1","openssl-3.5.2","openssl-3.5.3","openssl-3.5.4","openssl-3.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22795.json","vanir_signatures":[{"target":{"file":"apps/s_client.c"},"deprecated":false,"source":"https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12","signature_type":"Line","digest":{"line_hashes":["71476756686855470599937379985047700091","166895001063044813957862891151407698928","278712318572386455087903167506773264569","62751701112678304274354497278072631412","305528711857785099232457614306160091925"],"threshold":0.9},"id":"CVE-2026-22795-09b46f75","signature_version":"v1"},{"target":{"file":"apps/s_client.c","function":"s_client_main"},"deprecated":false,"source":"https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2","signature_type":"Function","digest":{"length":48739,"function_hash":"199855863195958881625652055964543723547"},"id":"CVE-2026-22795-0b6c52aa","signature_version":"v1"},{"target":{"file":"apps/s_client.c","function":"s_client_main"},"source":"https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49","deprecated":false,"signature_type":"Function","digest":{"length":46133,"function_hash":"89525939813841793658939652477796738403"},"id":"CVE-2026-22795-135694a1","signature_version":"v1"},{"target":{"file":"crypto/pkcs12/p12_kiss.c"},"deprecated":false,"source":"https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49","signature_type":"Line","digest":{"line_hashes":["60877912797987591188065755797983277280","251788162060282103686621368991676932733","40400787577453108895692359634937979252","331144855365863902029291104116453962179","88149325502830834177707272741538263698","104081780024832426122495621692374432985","320309570822310705485919480150939913446"],"threshold":0.9},"id":"CVE-2026-22795-1be6bf98","signature_version":"v1"},{"target":{"file":"crypto/pkcs12/p12_kiss.c"},"deprecated":false,"source":"https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12","signature_type":"Line","digest":{"line_hashes":["60877912797987591188065755797983277280","251788162060282103686621368991676932733","40400787577453108895692359634937979252","331144855365863902029291104116453962179","88149325502830834177707272741538263698","104081780024832426122495621692374432985","320309570822310705485919480150939913446"],"threshold":0.9},"id":"CVE-2026-22795-23f9a2c6","signature_version":"v1"},{"target":{"file":"crypto/pkcs12/p12_kiss.c"},"deprecated":false,"source":"https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e","signature_type":"Line","digest":{"line_hashes":["60877912797987591188065755797983277280","251788162060282103686621368991676932733","40400787577453108895692359634937979252","331144855365863902029291104116453962179","88149325502830834177707272741538263698","104081780024832426122495621692374432985","320309570822310705485919480150939913446"],"threshold":0.9},"id":"CVE-2026-22795-276a6f9a","signature_version":"v1"},{"signature_version":"v1","deprecated":false,"source":"https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4","signature_type":"Function","digest":{"length":48972,"function_hash":"137663506870388774154075225648218501066"},"id":"CVE-2026-22795-30c3a1ca","target":{"file":"apps/s_client.c","function":"s_client_main"}},{"target":{"file":"crypto/pkcs12/p12_kiss.c"},"source":"https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["60877912797987591188065755797983277280","251788162060282103686621368991676932733","40400787577453108895692359634937979252","331144855365863902029291104116453962179","88149325502830834177707272741538263698","104081780024832426122495621692374432985","320309570822310705485919480150939913446"],"threshold":0.9},"id":"CVE-2026-22795-3311f579","signature_version":"v1"},{"signature_version":"v1","deprecated":false,"source":"https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e","signature_type":"Line","digest":{"line_hashes":["71476756686855470599937379985047700091","166895001063044813957862891151407698928","278712318572386455087903167506773264569","62751701112678304274354497278072631412","305528711857785099232457614306160091925"],"threshold":0.9},"id":"CVE-2026-22795-3ae22c42","target":{"file":"apps/s_client.c"}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4","signature_type":"Line","digest":{"line_hashes":["71476756686855470599937379985047700091","166895001063044813957862891151407698928","278712318572386455087903167506773264569","62751701112678304274354497278072631412","305528711857785099232457614306160091925"],"threshold":0.9},"id":"CVE-2026-22795-564c849c","target":{"file":"apps/s_client.c"}},{"target":{"file":"apps/s_client.c","function":"s_client_main"},"source":"https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12","deprecated":false,"signature_type":"Function","digest":{"length":48972,"function_hash":"137663506870388774154075225648218501066"},"id":"CVE-2026-22795-5e98e146","signature_version":"v1"},{"target":{"file":"crypto/pkcs7/pk7_doit.c"},"deprecated":false,"source":"https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e","signature_type":"Line","digest":{"line_hashes":["246451924573170111765630526962404097757","196617962610438348365718973266564583117","284857352021339567897482824767365180593","273428943801490059425881941273658322840"],"threshold":0.9},"id":"CVE-2026-22795-68a85aee","signature_version":"v1"},{"target":{"file":"crypto/pkcs12/p12_kiss.c"},"source":"https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["60877912797987591188065755797983277280","251788162060282103686621368991676932733","40400787577453108895692359634937979252","331144855365863902029291104116453962179","88149325502830834177707272741538263698","104081780024832426122495621692374432985","320309570822310705485919480150939913446"],"threshold":0.9},"id":"CVE-2026-22795-86099db0","signature_version":"v1"},{"target":{"file":"apps/s_client.c"},"deprecated":false,"source":"https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49","signature_type":"Line","digest":{"line_hashes":["71476756686855470599937379985047700091","166895001063044813957862891151407698928","278712318572386455087903167506773264569","62751701112678304274354497278072631412","305528711857785099232457614306160091925"],"threshold":0.9},"id":"CVE-2026-22795-8f8ff17b","signature_version":"v1"},{"source":"https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2","signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["71476756686855470599937379985047700091","166895001063044813957862891151407698928","278712318572386455087903167506773264569","62751701112678304274354497278072631412","305528711857785099232457614306160091925"],"threshold":0.9},"id":"CVE-2026-22795-991d33fa","target":{"file":"apps/s_client.c"}},{"target":{"file":"crypto/pkcs7/pk7_doit.c"},"source":"https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["246451924573170111765630526962404097757","196617962610438348365718973266564583117","284857352021339567897482824767365180593","273428943801490059425881941273658322840"],"threshold":0.9},"id":"CVE-2026-22795-af52563c","signature_version":"v1"},{"target":{"file":"include/openssl/opensslv.h"},"source":"https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["28170854778703993674264004058177114599","73132526844288570625317440636111911761","177405411499435185068645597737938634778","224809958623850711330610094965797758930","295554444428855106393106961197201359586"],"threshold":0.9},"id":"CVE-2026-22795-c377fa22","signature_version":"v1"},{"source":"https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49","signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["246451924573170111765630526962404097757","196617962610438348365718973266564583117","284857352021339567897482824767365180593","273428943801490059425881941273658322840"],"threshold":0.9},"id":"CVE-2026-22795-d52a9a4d","target":{"file":"crypto/pkcs7/pk7_doit.c"}},{"source":"https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4","signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["246451924573170111765630526962404097757","196617962610438348365718973266564583117","284857352021339567897482824767365180593","273428943801490059425881941273658322840"],"threshold":0.9},"id":"CVE-2026-22795-d6153be7","target":{"file":"crypto/pkcs7/pk7_doit.c"}},{"target":{"file":"crypto/pkcs7/pk7_doit.c"},"deprecated":false,"source":"https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2","signature_type":"Line","digest":{"line_hashes":["246451924573170111765630526962404097757","196617962610438348365718973266564583117","284857352021339567897482824767365180593","273428943801490059425881941273658322840"],"threshold":0.9},"id":"CVE-2026-22795-f144311b","signature_version":"v1"},{"source":"https://github.com/openssl/openssl/commit/eeee3cbd4d682095ed431052f00403004596373e","signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"length":48969,"function_hash":"127898544240712534256163966369522564864"},"id":"CVE-2026-22795-fbed4a44","target":{"file":"apps/s_client.c","function":"s_client_main"}}],"vanir_signatures_modified":"2026-04-12T20:21:40Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}