From: Igor Ustinov <igus@openssl.foundation>
Date: Mon, 11 May 2026 14:29:47 +0000 (+0200)
Subject: Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt()
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=11df4e2ae04fe3f3207aa79b461b6ed90e5f6bce;p=thirdparty%2Fopenssl.git

Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt()

Check that 'parameter' != NULL before dereferencing in
OSSL_CRMF_ENCRYPTEDVALUE_decrypt().

Fixes CVE-2026-42767

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun  8 20:38:27 2026
---

diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
index d5ad51e4503..5747ab18569 100644
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -762,6 +762,7 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *
     EVP_CIPHER *cipher = NULL; /* used cipher */
     int cikeysize = 0; /* key size from cipher */
     unsigned char *iv = NULL; /* initial vector for symmetric encryption */
+    int iv_len; /* iv length */
     unsigned char *out = NULL; /* decryption output buffer */
     int n, ret = 0;
     EVP_PKEY_CTX *pkctx = NULL; /* private key context */
@@ -811,11 +812,12 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *
     } else {
         goto end;
     }
-    if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL)
+    iv_len = EVP_CIPHER_get_iv_length(cipher);
+    if ((iv = OPENSSL_malloc(iv_len)) == NULL)
         goto end;
-    if (ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv,
-            EVP_CIPHER_get_iv_length(cipher))
-        != EVP_CIPHER_get_iv_length(cipher)) {
+    if (enc->symmAlg->parameter == NULL
+        || ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv, iv_len)
+            != iv_len) {
         ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV);
         goto end;
     }