OpenSSL released new versions to fix a high-severity bug that can crash applications and may allow remote code execution when they verify a specially crafted signed message. The main issue, CVE-2026-45447, is a heap use-after-free in PKCS7_verify() triggered by a malformed PKCS#7 or S/MIME SignedData digestAlgorithms field; OpenSSL also patched 17 other flaws ranging from low to moderate severity affecting certificate handling, encryption integrity, denial of service, and possible code execution paths.
Why it matters: OpenSSL is embedded in many servers, appliances, and applications, so this can affect far more systems than organizations realize. Teams should identify where OpenSSL is deployed and apply the new releases promptly, especially in products or services that process S/MIME or PKCS#7 signed content.
Eduard Kovacs
2026.06.09
100% relevant
This article appears to be the first item here establishing the OpenSSL June 2026 patch event centered on CVE-2026-45447 and the broader batch of 18 fixed vulnerabilities.
← Back to all stories