Red Hat Security Advisory: compat-openssl10 security update
A heap use-after-free vulnerability exists in the OpenSSL PKCS7_verify() function in the compat-openssl10 package provided by Red Hat for compatibility with older software. This vulnerability is identified as CVE-2026-45447 and has been rated with high severity by Red Hat Product Security. The issue affects Red Hat Enterprise Linux 8 across multiple architectures and extended life cycle versions. A security update has been issued by Red Hat to address this vulnerability.
AI Analysis
Technical Summary
The Red Hat compat-openssl10 package, which provides OpenSSL 1.0.2 libraries for compatibility with older software, contains a heap use-after-free vulnerability in the PKCS7_verify() function (CVE-2026-45447). This vulnerability is classified under CWE-825. Red Hat has issued an important security advisory (RHSA-2026:36215) and released updated packages for Red Hat Enterprise Linux 8 across various architectures and extended life cycle versions to address this flaw. The advisory references the CVE for further details but does not provide a CVSS score. The update mitigates the vulnerability by correcting the memory management in the affected function.
Potential Impact
The vulnerability allows for a heap use-after-free condition during the verification of PKCS7 signatures in OpenSSL, which may lead to memory corruption or application crashes. This could affect applications relying on the compat-openssl10 libraries for cryptographic operations involving PKCS7 data. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Red Hat has released updated compat-openssl10 packages for Red Hat Enterprise Linux 8 and its extended life cycle variants that fix this vulnerability. Users should apply these official updates as soon as possible following Red Hat's guidance at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated by the vendor advisory.
Red Hat Security Advisory: compat-openssl10 security update
Description
A heap use-after-free vulnerability exists in the OpenSSL PKCS7_verify() function in the compat-openssl10 package provided by Red Hat for compatibility with older software. This vulnerability is identified as CVE-2026-45447 and has been rated with high severity by Red Hat Product Security. The issue affects Red Hat Enterprise Linux 8 across multiple architectures and extended life cycle versions. A security update has been issued by Red Hat to address this vulnerability.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Red Hat compat-openssl10 package, which provides OpenSSL 1.0.2 libraries for compatibility with older software, contains a heap use-after-free vulnerability in the PKCS7_verify() function (CVE-2026-45447). This vulnerability is classified under CWE-825. Red Hat has issued an important security advisory (RHSA-2026:36215) and released updated packages for Red Hat Enterprise Linux 8 across various architectures and extended life cycle versions to address this flaw. The advisory references the CVE for further details but does not provide a CVSS score. The update mitigates the vulnerability by correcting the memory management in the affected function.
Potential Impact
The vulnerability allows for a heap use-after-free condition during the verification of PKCS7 signatures in OpenSSL, which may lead to memory corruption or application crashes. This could affect applications relying on the compat-openssl10 libraries for cryptographic operations involving PKCS7 data. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Red Hat has released updated compat-openssl10 packages for Red Hat Enterprise Linux 8 and its extended life cycle variants that fix this vulnerability. Users should apply these official updates as soon as possible following Red Hat's guidance at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:36215
- Cve Count
- 1
- Additional Cves
- []
- Cvss Version
- null
Threat ID: 6a4e4efdc9d9e3dbe328d0ce
Added to database: 07/08/2026, 13:22:05 UTC
Last enriched: 07/08/2026, 13:47:09 UTC
Last updated: 07/08/2026, 22:28:25 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.