CVE-2026-22796

MEDIUM

CVSS v3

5.3

MEDIUM

EPSS Score

0.1%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a

Technical Details

CVSS v3 Vector
3.1
Published
1/27/2026
Last Modified
2/2/2026

Frequently Asked Questions

What is CVE-2026-22796?

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a

Is CVE-2026-22796 actively exploited?

Active exploitation of CVE-2026-22796 has not been confirmed. The EPSS score is 0.1%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-22796?

CVE-2026-22796 has a CVSS v3 base score of 5.3 (MEDIUM severity), with vector string 3.1.

Is CVE-2026-22796 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.