Commit a9af344229 for openssl.org
commit a9af3442290e8a04706a3cd5f284ffd5b486e3f6
Author: Daniel Kubec <kubec@openssl.foundation>
Date: Sat May 16 01:04:30 2026 +0200
Fix NULL Dereference in Certificate Verification with OCSP Checking
When performing OCSP response checking for certificates in the verification
chain, the code always tries to access the next certificate as the issuer.
There is a check for a self-signed certificate. However with the partial
chain verification enabled when the chain does not have a self-signed trusted
anchor, the issuer will be NULL for the last certificate in the chain. A NULL
pointer dereference then happens.
This issue affects only applications which enable both OCSP verification
of the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial
chain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate
verification. Both flags are disabled by default. For that reason, we have
assigned Low severity to the issue.
Fixes CVE-2026-42765
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun 8 18:55:29 2026
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index c283a6a793..dccdf6f499 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1205,6 +1205,16 @@ static int check_revocation(X509_STORE_CTX *ctx)
/* the issuer certificate is the next in the chain */
ctx->current_issuer = sk_X509_value(ctx->chain, i + 1);
+ if (ctx->current_issuer == NULL) {
+ /*
+ * No issuer exists at i+1 — this is the partial-chain
+ * trust anchor. OCSP requires an issuer to build the
+ * CertID, so skip OCSP checking for this certificate.
+ */
+ if ((ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) != 0)
+ continue;
+ return verify_cb_ocsp(ctx, X509_V_ERR_OCSP_VERIFY_FAILED);
+ }
ok = check_cert_ocsp_resp(ctx);