CVE-2026-45445 is a cryptographic vulnerability in OpenSSL’s AES-OCB mode where the Initialisation Vector (IV) is silently ignored when encryption or decryption is performed via the EVP_Cipher() API path. This means data intended to be protected with a unique IV may be encrypted with a predictable or reused nonce, undermining the confidentiality and integrity guarantees of AES-OCB. Any Azure service or workload relying on OpenSSL’s EVP_Cipher() with AES-OCB mode is potentially at risk of ciphertext forgery or plaintext recovery.

Security Architect’s Take: Audit workloads and Azure-hosted applications that use OpenSSL’s EVP_Cipher() with AES-OCB mode and prioritise patching to a remediated OpenSSL version as soon as Microsoft and upstream OpenSSL publish fixes. If AES-OCB is not a hard requirement, consider migrating to AES-GCM via the EVP_AEAD API as an interim risk reduction measure.

Original advisory: CVE-2026-45445 AES-OCB IV Ignored on EVP_Cipher() Path

CVE-2023-5678 is a vulnerability in OpenSSL where processing a Diffie-Hellman (DH) key or parameter with an excessively large Q value can cause the application to hang, consuming significant CPU time. This creates a denial-of-service risk for any service that processes externally supplied DH parameters. Microsoft has published guidance via the MSRC as it affects components within the Azure ecosystem.

Security Architect’s Take: Review any Azure services or workloads using OpenSSL for TLS/cryptographic operations and ensure OpenSSL is patched to a version addressing CVE-2023-5678. Pay particular attention to services that accept client-supplied DH parameters, and consider disabling legacy DH cipher suites where not required.

Original advisory: CVE-2023-5678 Excessive time spent in DH check / generation with large Q parameter value