CVE-2026-42768 is a Bleichenbacher-style oracle vulnerability affecting the CMS_decrypt() and PKCS7_decrypt() functions when handling messages encrypted for multiple recipients. An attacker who can observe decryption outcomes may be able to recover plaintext or private key material through a padding oracle attack. This is particularly concerning in any Azure or application workload that processes S/MIME or CMS-encrypted data.

Security Architect’s Take: Audit any services or workloads — including Azure-hosted applications — that use OpenSSL or similar cryptographic libraries to decrypt multi-recipient CMS or PKCS#7 messages, and apply available patches immediately. Consider restricting access to decryption endpoints and adding timing-normalisation controls as a short-term mitigation.

Original advisory: CVE-2026-42768 Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()