CVE-2026-42771

Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate the data read to the attacker so the most likely result is a crash and a Denial of Service. An internal helper function called from X509_VERIFY_PARAM_[set|add]_email() used a wrong length when validating the local part of an email address. This could cause the 64 octet limit on the local part of an email address to be not enforced, or cause an out of bound read and potentially a crash. The bug is reachable via S-MIME validation with a crafted From: address supplied in an email message that can potentially cause a crash. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.

CVSS v3 6.2 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openssl/security/commit/6cd187689f8180c1f8a3acde21f88190c4a20de7
https://openssl-library.org/news/secadv/20260609.txt

Configurations

No configuration.

History

09 Jun 2026, 20:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.2

09 Jun 2026, 17:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-09 17:17

Updated : 2026-06-09 20:16

NVD link : CVE-2026-42771

Mitre link : CVE-2026-42771

CVE.ORG link : CVE-2026-42771

JSON object : View

Products Affected

No product.

CWE

CWE-125

Out-of-bounds Read

6.2 /10