PatchSiren cyber security CVE debrief
CVE-2026-22796 Siemens CVE debrief
A type confusion vulnerability in OpenSSL's PKCS#7 signature verification allows denial-of-service via malformed signed data. The vulnerability exists in the PKCS7_digest_from_attributes() function, which accesses message digest attribute values without validating their ASN.1 type. When processing data where the type is not V_ASN1_OCTET_STRING, invalid memory is accessed through the ASN1_TYPE union, causing a crash. This affects applications performing PKCS#7 signature verification on the Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystem. The vulnerability was assessed as Low severity because exploitation only results in denial of service, and the PKCS7 API is legacy—applications should migrate to the CMS API instead. FIPS modules in OpenSSL 3.5, 3.4, 3.3, and 3.0 are not affected as PKCS#7 parsing falls outside the FIPS module boundary.
- Vendor
- Siemens
- Product
- SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations operating Siemens SIMATIC S7-1500 TM MFP systems with the GNU/Linux subsystem enabled, particularly those performing PKCS#7 signature verification in custom applications. OT security teams managing industrial control systems with embedded Linux components. Developers maintaining legacy applications using OpenSSL's PKCS7 API.
Technical summary
The vulnerability stems from improper type validation in OpenSSL's PKCS7_digest_from_attributes() function. When processing signed PKCS#7 data, the function retrieves the message digest attribute value and directly accesses it as an OCTET_STRING without first checking the ASN1_TYPE union member's actual type. If the type differs from V_ASN1_OCTET_STRING, the union access reads from invalid memory offsets, resulting in NULL or invalid pointer dereference. This causes application crash (DoS). The attack vector requires network delivery of malformed PKCS#7 data to an application performing signature verification. OpenSSL versions 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, and 1.0.2 are affected. FIPS-validated modules are unaffected. CVSS 3.1: 5.3 (MEDIUM) - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.
Defensive priority
medium
Recommended defensive actions
- Limit access to the interactive shell of the GNU/Linux subsystem to trusted personnel only
- Only build and run applications from trusted sources
- Monitor for vendor security updates as no fix is currently available
- Consider migrating from legacy PKCS7 API to CMS API where feasible
Evidence notes
CVE published 2024-04-09 per CISA CSAF advisory ICSA-24-102-01. Advisory last modified 2026-05-14 with multiple revision releases adding additional CVEs. Source assessment: government advisory (CISA CSAF) with high confidence vendor attribution to Siemens.
Official resources
-
CVE-2026-22796 CVE record
CVE.org
-
CVE-2026-22796 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-09