CVE-2026-34181
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
The PKCS#12 file processing fails to perform sufficient input validation for files using the PBMAC1 integrity mechanism, allowing for certificate and private key forgery.
Risk Assessment
An attacker can impersonate a user and cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability.
Recommendation
It is recommended to implement additional validation mechanisms for PKCS#12 files and to avoid using PBMAC1 in the context of file authentication.
Original NVD description (English source)
Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

