CVE-2026-45446
4.8 MEDIUMIssue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authe...
Published: 2026-06-09 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 4.8 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
- CWE
- CWE-325
Description
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45446
- [Other]https://github.com/openssl/security/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc
- [Other]https://github.com/openssl/security/commit/71e2a5d263518cf5866043bd60ee4994d59e53a3
- [Other]https://github.com/openssl/security/commit/7fe3f33a3b3a4c487aa4dcdbc87057f66ffd2b85
- [Other]https://github.com/openssl/security/commit/daca0f48e4a69a2892a62262bad59e62a8a76598
- [Other]https://github.com/openssl/security/commit/eec5e9bf0d867333b8495e456f5235d225798a68
- [Other]https://openssl-library.org/news/secadv/20260609.txt
Related CVEs
Same CWE
- CVE-2026-45445 — Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied... (7.5 HIGH)
- CVE-2026-42770 — Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgro... (3.7 LOW)
- CVE-2026-0420 — An improper implementation of TLS certificate validation vulnerability found in ReadyCloud client app which can allow an attacker to perf...
- CVE-2026-48480 — The netty incubator codec.bhttp is a java language binary http parser
- CVE-2026-4258 — All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validat... (7.5 HIGH)