changelogly / releases / openssl-4-0-1
OS
OpenSSL 4.0.1
4.0.0โ4.0.1SecurityBug fix
โฆ Editor's summary
OpenSSL 4.0.1 is the first patch release for the 4.0 branch and is a security-focused update. It fixes multiple vulnerabilities affecting PKCS7, CMS, QUIC, OCSP, ASN.1 processing, and cryptographic operations while improving overall library stability and reliability. Organizations using OpenSSL 4.0.0 should upgrade as soon as possible.
โ Security impact
- Fixed a heap use-after-free vulnerability in PKCS7_verify() (CVE-2026-45447).
- Fixed CMS AuthEnvelopedData processing that could accept forged messages (CVE-2026-34182).
- Resolved unbounded memory growth in the QUIC PATH_CHALLENGE handler (CVE-2026-34183).
- Fixed a double-free vulnerability when checking OCSP stapled responses (CVE-2026-35188).
- Addressed additional vulnerabilities including QUIC NULL pointer dereference, ASN.1 buffer handling, and AES-OCB processing issues.
What's new
- Updated OpenSSL to version 4.0.1.
- Fixed multiple security vulnerabilities across PKCS7, CMS, QUIC, OCSP, and ASN.1 components.
- Improved QUIC protocol reliability and memory management.
- Resolved cryptographic processing issues affecting CMS and AES-OCB operations.
- Enhanced library stability, robustness, and compatibility.
- Recommended for all deployments running OpenSSL 4.0.0.
๐ฌ Comments (0)
No comments yet.