deps: bundled OpenSSL 3.5.6 in v24.x and v26.x has multiple CVEs, fixed in OpenSSL 3.5.7
What is the problem?
OpenSSL 3.5.7 was released on 2026-06-09 with fixes for 15 CVEs. The most severe is High. Node.js v24.16.0 (Active LTS) and v26.3.0 (Current) both ship OpenSSL 3.5.6 and are therefore exposed.
Reproduction:
docker pull node:24-alpine
docker run --rm node:24-alpine node -p "process.versions.openssl"
# → 3.5.6
Full advisory:
| CVE |
Severity |
Description |
| CVE-2026-45447 |
High |
Heap use-after-free in PKCS7_verify() — potential RCE |
| CVE-2026-34182 |
Moderate |
CMS AuthEnvelopedData may accept forged messages |
| CVE-2026-34183 |
Moderate |
Unbounded memory growth in QUIC PATH_CHALLENGE handler |
| CVE-2026-42764 |
Low |
NULL ptr deref in QUIC server initial packet handling |
| CVE-2026-7383 |
Low |
Heap buffer overflow in ASN.1 multibyte string conversion |
| CVE-2026-9076 |
Low |
Out-of-bounds read in CMS password-based decryption |
| CVE-2026-34180 |
Low |
Heap buffer over-read in ASN.1 content parsing |
| CVE-2026-34181 |
Low |
PKCS#12 PBMAC1 accepts short HMAC keys |
| CVE-2026-42766 |
Low |
NULL deref in password-based CMS decryption |
| CVE-2026-42767 |
Low |
NULL ptr deref in CRMF EncryptedValue decryption |
| CVE-2026-42768 |
Low |
Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt()/PKCS7_decrypt() |
| CVE-2026-42769 |
Low |
Trust anchor substitution via CMP rootCaKeyUpdate |
| CVE-2026-42770 |
Low |
FFC-DH peer validation uses attacker-supplied q |
| CVE-2026-45445 |
Low |
AES-OCB IV ignored on EVP_Cipher() path |
| CVE-2026-45446 |
Low |
Incorrect tag processing for AES-GCM-SIV and AES-SIV modes |
What did you expect?
A v24.x patch release (and v26.x release) that bumps deps/openssl from 3.5.6 to 3.5.7, clearing the 15 CVEs listed above.
Current status
The automated OpenSSL update workflow (.github/workflows/update-openssl.yml) runs weekly on Sundays. OpenSSL 3.5.7 was released on a Monday, so the next scheduled run is 2026-06-15. Could a collaborator trigger workflow_dispatch sooner so the update PR lands on main before then?
For context, the OpenSSL 3.5.6 update followed this timeline:
- OpenSSL 3.5.6 released: 2026-04-07
- Automated PR on
main: #62629 — same day
- Released in v26.1.0: 2026-05-07
- Backported to v24.16.0: 2026-05-21
Impact
Vulnerability scanners (grype, AWS Inspector, Trivy) flag the bundled OpenSSL headers at /usr/local/include/node/openssl/ against pkg:generic/openssl/openssl@3.5.6. This blocks CVE-gating CI for downstream Docker images built on node:24 and node:26. Many organizations gate container deployments on zero High/Critical CVEs.
cc @aduh95 @richardlau — would it be possible to trigger the OpenSSL update workflow manually, and/or expedite the backport to v24.x given the High-severity heap UAF (CVE-2026-45447)?
deps: bundled OpenSSL 3.5.6 in v24.x and v26.x has multiple CVEs, fixed in OpenSSL 3.5.7
What is the problem?
OpenSSL 3.5.7 was released on 2026-06-09 with fixes for 15 CVEs. The most severe is High. Node.js v24.16.0 (Active LTS) and v26.3.0 (Current) both ship OpenSSL 3.5.6 and are therefore exposed.
Reproduction:
Full advisory:
PKCS7_verify()— potential RCEAuthEnvelopedDatamay accept forged messagesPATH_CHALLENGEhandlerEncryptedValuedecryptionRecipientInfoBleichenbacher Oracle inCMS_decrypt()/PKCS7_decrypt()rootCaKeyUpdateqEVP_Cipher()pathWhat did you expect?
A v24.x patch release (and v26.x release) that bumps
deps/opensslfrom 3.5.6 to 3.5.7, clearing the 15 CVEs listed above.Current status
The automated OpenSSL update workflow (
.github/workflows/update-openssl.yml) runs weekly on Sundays. OpenSSL 3.5.7 was released on a Monday, so the next scheduled run is 2026-06-15. Could a collaborator triggerworkflow_dispatchsooner so the update PR lands onmainbefore then?For context, the OpenSSL 3.5.6 update followed this timeline:
main: #62629 — same dayImpact
Vulnerability scanners (grype, AWS Inspector, Trivy) flag the bundled OpenSSL headers at
/usr/local/include/node/openssl/againstpkg:generic/openssl/openssl@3.5.6. This blocks CVE-gating CI for downstream Docker images built onnode:24andnode:26. Many organizations gate container deployments on zero High/Critical CVEs.cc @aduh95 @richardlau — would it be possible to trigger the OpenSSL update workflow manually, and/or expedite the backport to v24.x given the High-severity heap UAF (CVE-2026-45447)?