From: Nikola Pajkovsky Date: Thu, 21 May 2026 09:53:09 +0000 (+0200) Subject: cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51d1800e95283a8beec85152e35e3634dab8dd82;p=thirdparty%2Fopenssl.git cms: kek_unwrap_key: Fix out-of-bounds read in check-byte validation the check-byte test in kek_unwrap_key() reads tmp[1] through tmp[6] unconditionally, so the decrypted buffer must hold at least seven octets. The pre-decryption size check enforces inlen >= 2 * blocklen, which yields the required seven octets only when blocklen >= 4. For a KEK cipher with a smaller block size, inlen can be as small as 2 * blocklen and the check-byte read overruns the inlen-sized tmp allocation. Reject blocklen < 4 in the early sanity check. All block ciphers appropriate for CMS PasswordRecipientInfo key wrapping have a block size of at least 8 octets (DES/3DES = 8, AES = 16), so this only forbids ciphers that would not be valid KEK choices anyway, and the existing inlen >= 2 * blocklen check then guarantees the seven-octet lower bound the check-byte test relies on. Fixes CVE-2026-9076 Signed-off-by: Nikola Pajkovsky Reviewed-by: Daniel Kubec Reviewed-by: Milan Broz Reviewed-by: Tomas Mraz MergeDate: Mon Jun 8 14:06:36 2026 --- diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index ac869a37f93..2a5625c9c86 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -205,7 +205,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, unsigned char *tmp; int outl, rv = 0; - if (blocklen <= 0) + if (blocklen < 4) return 0; if (inlen < 2 * (size_t)blocklen) {