Padding-Oracle

🟠 High | Source: Microsoft Security Response Center CVE-2026-42768 is a Bleichenbacher-style oracle vulnerability affecting the CMS_decrypt() and PKCS7_decrypt() functions when handling messages encrypted for multiple recipients. An attacker who can observe decryption outcomes may be able to recover plaintext or private key material through a padding oracle attack. This is particularly concerning in any Azure or application workload that processes S/MIME or CMS-encrypted data. Security Architect’s Take: Audit any services or workloads — including Azure-hosted applications — that use OpenSSL or similar cryptographic libraries to decrypt multi-recipient CMS or PKCS#7 messages, and apply available patches immediately. Consider restricting access to decryption endpoints and adding timing-normalisation controls as a short-term mitigation. ...