cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation

the check-byte test in kek_unwrap_key() reads tmp[1] through tmp[6]
unconditionally, so the decrypted buffer must hold at least seven
octets. The pre-decryption size check enforces inlen >= 2 * blocklen,
which yields the required seven octets only when blocklen >= 4. For
a KEK cipher with a smaller block size, inlen can be as small as
2 * blocklen and the check-byte read overruns the inlen-sized tmp
allocation.

Reject blocklen < 4 in the early sanity check. All block ciphers
appropriate for CMS PasswordRecipientInfo key wrapping have a block
size of at least 8 octets (DES/3DES = 8, AES = 16), so this only
forbids ciphers that would not be valid KEK choices anyway, and the
existing inlen >= 2 * blocklen check then guarantees the seven-octet
lower bound the check-byte test relies on.

Fixes CVE-2026-9076

Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
Reviewed-by: Milan Broz <mbroz@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun  8 14:06:36 2026

diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index ac869a37f93827a6a98f827d64c28f9c7f11fd4f..2a5625c9c8657b73b9f4a42c915c5650a10da7fb 100644 (file)
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -205,7 +205,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
     unsigned char *tmp;
     int outl, rv = 0;
 
-    if (blocklen <= 0)
+    if (blocklen < 4)
         return 0;
 
     if (inlen < 2 * (size_t)blocklen) {