🟠 High | Source: Microsoft Security Response Center
CVE-2026-6291 is a Bleichenbacher padding oracle vulnerability affecting RSA PKCS#1 v1.5 decryption within PKCS#7 Key Transport Recipient Info (KTRI) handling in Microsoft Azure. This class of attack allows an attacker to progressively decrypt RSA-encrypted data by analysing error responses, potentially exposing sensitive cryptographic material. It is a well-understood but serious cryptographic vulnerability that can undermine the confidentiality of encrypted communications if exploited.
Security Architect’s Take: Audit any Azure services or workloads relying on RSA PKCS#1 v1.5 encryption for key transport and prioritise migrating to OAEP (RSA-OAEP) padding, which is not susceptible to Bleichenbacher attacks. Apply Microsoft’s patch immediately and review whether any key material exchanged via affected KTRI mechanisms should be considered compromised.
Original advisory: CVE-2026-6291 Bleichenbacher padding oracle in PKCS#7 KTRI RSA PKCS#1 v1.5 decryption