UBUNTU-CVE-2026-42771

Source
https://ubuntu.com/security/CVE-2026-42771
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42771.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-42771
Upstream
Published
2026-06-09T00:00:00Z
Modified
2026-06-12T09:04:13.826122966Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - low
Summary
[none]
Details

Issue summary: When the X509VERIFYPARAMset1email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate the data read to the attacker so the most likely result is a crash and a Denial of Service. An internal helper function called from X509VERIFYPARAM_[set|add]_email() used a wrong length when validating the local part of an email address. This could cause the 64 octet limit on the local part of an email address to be not enforced, or cause an out of bound read and potentially a crash. The bug is reachable via S-MIME validation with a crafted From: address supplied in an email message that can potentially cause a crash. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.

References

Affected packages

Ubuntu:Pro:22.04:LTS / nodejs

Package

Name
nodejs
Purl
pkg:deb/ubuntu/nodejs?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

12.*
12.22.5~dfsg-5ubuntu1
12.22.7~dfsg-2ubuntu1
12.22.7~dfsg-2ubuntu3
12.22.9~dfsg-1ubuntu2
12.22.9~dfsg-1ubuntu3
12.22.9~dfsg-1ubuntu3.1
12.22.9~dfsg-1ubuntu3.2
12.22.9~dfsg-1ubuntu3.3
12.22.9~dfsg-1ubuntu3.4
12.22.9~dfsg-1ubuntu3.5
12.22.9~dfsg-1ubuntu3.6
12.22.9~dfsg-1ubuntu3.6+esm2

Ecosystem specific

{
    "priority_reason": "OpenSSL developers have rated this as being low severity",
    "binaries": [
        {
            "binary_name": "libnode72",
            "binary_version": "12.22.9~dfsg-1ubuntu3.6+esm2"
        },
        {
            "binary_name": "nodejs",
            "binary_version": "12.22.9~dfsg-1ubuntu3.6+esm2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-42771.json"