## DEBIAN-CVE-2026-34180 found in deb/debian/openssl-provider-legacy@3.5.5-1~deb13u1?arch=amd64&distro=debian-13.4 > [!important] > **Risk**: `1.41 (Low)` > **CVSS**: `7.5` ### Description Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. ### Affected component The vulnerability is in `pkg:deb/debian/openssl-provider-legacy@3.5.5-1~deb13u1?arch=amd64&distro=debian-13.4`, found in artifacts `pkg:oci/clamav?repository_url=registry.opencode.de/oci-community/images/zendis/clamav&arch=amd64&tag=1.4.3-main-amd64`. ### Recommended fix Upgrade to version 3.5.6-1~deb13u2 or later. ``` # Update all debian packages apt Update && apt upgrade # Update only this package apt install openssl-provider-legacy=3.5.6-1~deb13u2 ``` ### Additional guidance for mitigating vulnerabilities Visit our guides on [devguard.org](https://devguard.org/risk-mitigation-guides/software-composition-analysis) <details> <summary>See more details...</summary> ### Path to component ```mermaid %%{init: { 'theme':'base', 'themeVariables': { 'primaryColor': '#F3F3F3', 'primaryTextColor': '#0D1117', 'primaryBorderColor': '#999999', 'lineColor': '#999999', 'secondaryColor': '#ffffff', 'tertiaryColor': '#ffffff' } }}%% flowchart TD Your_application(["Your application"]) --- pkg_deb_debian_apt_3_0_3?arch=amd64&distro=debian_13_4(["pkg:deb/debian/apt\@3.0.3?arch=amd64&distro=debian-13.4"]) pkg_deb_debian_apt_3_0_3?arch=amd64&distro=debian_13_4(["pkg:deb/debian/apt\@3.0.3?arch=amd64&distro=debian-13.4"]) --- pkg_deb_debian_libssl3t64_3_5_5_1~deb13u1?arch=amd64&distro=debian_13_4(["pkg:deb/debian/libssl3t64\@3.5.5-1~deb13u1?arch=amd64&distro=debian-13.4"]) pkg_deb_debian_libssl3t64_3_5_5_1~deb13u1?arch=amd64&distro=debian_13_4(["pkg:deb/debian/libssl3t64\@3.5.5-1~deb13u1?arch=amd64&distro=debian-13.4"]) --- pkg_deb_debian_openssl_provider_legacy_3_5_5_1~deb13u1?arch=amd64&distro=debian_13_4(["pkg:deb/debian/openssl-provider-legacy\@3.5.5-1~deb13u1?arch=amd64&distro=debian-13.4"]) classDef default stroke-width:2px ``` | Risk Factor | Value | Description | | ---- | ----- | ----------- | | Vulnerability Depth | `3` | The vulnerability is in a dependency of a dependency in your project. It is 3 levels deep. | | EPSS | `0.00 %` | The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days. | | EXPLOIT | `Not available` | We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database. There are no script kiddies exploiting this vulnerability. | | CVSS-BE | `9.3` | - Exploiting this vulnerability significantly impacts availability. | | CVSS-B | `7.5` | - The vulnerability can be exploited over the network without needing physical access.<br>- It is easy for an attacker to exploit this vulnerability.<br>- An attacker does not need any special privileges or access rights.<br>- No user interaction is needed for the attacker to exploit this vulnerability.<br>- The impact is confined to the system where the vulnerability exists.<br>- There is a high impact on the availability of the system. | More details can be found in [DevGuard](https://devguard.opencode.de/@opencode/projects/zendis-3/assets/clamav/refs/main/dependency-risks/f5e47ea6-0793-3495-b8b3-a53d56a64ba2) </details> --- ### Interact with this vulnerability You can use the following slash commands to interact with this vulnerability: #### 👍 Reply with this to acknowledge and accept the identified risk. ```text /accept I accept the risk of this vulnerability, because ... ``` #### ⚠️ Mark the risk as false positive: Use one of these commands if you believe the reported vulnerability is not actually a valid issue. ```text /component-not-present The vulnerable component is not included in the artifact. ``` ```text /vulnerable-code-not-present The component is present, but the vulnerable code is not included or compiled. ``` ```text /vulnerable-code-not-in-execute-path The vulnerable code exists, but is never executed at runtime. ``` ```text /vulnerable-code-cannot-be-controlled-by-adversary Built-in protections prevent exploitation of this vulnerability. ``` ```text /inline-mitigations-already-exist The vulnerable code cannot be controlled or influenced by an attacker. ``` #### 🔁 Reopen the risk: Use this command to reopen a previously closed or accepted vulnerability. ```text /reopen ... ```