From 12101cf3169e709a80a291d08811136508235ce7 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Fri, 6 Feb 2026 09:54:39 +0000
Subject: [PATCH] Patch edk2 for CVE-2026-22795

---
 SPECS/edk2/CVE-2026-22795.patch | 77 +++++++++++++++++++++++++++++++++
 SPECS/edk2/edk2.spec            |  6 ++-
 2 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/edk2/CVE-2026-22795.patch

diff --git a/SPECS/edk2/CVE-2026-22795.patch b/SPECS/edk2/CVE-2026-22795.patch
new file mode 100644
index 00000000000..63f16eac4cb
--- /dev/null
+++ b/SPECS/edk2/CVE-2026-22795.patch
@@ -0,0 +1,77 @@
+From 3a7b43217ae244f8ae9647763817faf2a3334bf1 Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Ensure ASN1 types are checked before use.
+
+Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
+this fix includes the other fixes in that commit, as well as fixes for others found by a scan
+for a similar unvalidated access paradigm in the tree.
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/29582)
+
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49.patch
+---
+ CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c   |  3 ++-
+ .../OpensslLib/openssl/crypto/pkcs12/p12_kiss.c        | 10 ++++++++--
+ .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c |  2 ++
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
+index 83b3fc9..99f7eb0 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
+@@ -2688,8 +2688,9 @@ int s_client_main(int argc, char **argv)
+                 goto end;
+             }
+             atyp = ASN1_generate_nconf(genstr, cnf);
+-            if (atyp == NULL) {
++        if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
+                 NCONF_free(cnf);
++            ASN1_TYPE_free(atyp);
+                 BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
+                 goto end;
+             }
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
+index 7ab9838..d90404d 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
+@@ -183,11 +183,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+     ASN1_BMPSTRING *fname = NULL;
+     ASN1_OCTET_STRING *lkid = NULL;
+ 
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
++        if (attrib->type != V_ASN1_BMPSTRING)
++            return 0;
+         fname = attrib->value.bmpstring;
++    }
+ 
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
++        if (attrib->type != V_ASN1_OCTET_STRING)
++            return 0;
+         lkid = attrib->value.octet_string;
++    }
+ 
+     switch (PKCS12_SAFEBAG_get_nid(bag)) {
+     case NID_keyBag:
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+index f63fbc5..4e0eb1e 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+@@ -1092,6 +1092,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+     ASN1_TYPE *astype;
+     if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
+         return NULL;
++    if (astype->type != V_ASN1_OCTET_STRING)
++        return NULL;
+     return astype->value.octet_string;
+ }
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec
index c915b225543..5dd60ec78a4 100644
--- a/SPECS/edk2/edk2.spec
+++ b/SPECS/edk2/edk2.spec
@@ -45,7 +45,7 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    46%{?dist}
+Release:    47%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
 URL:        http://www.tianocore.org
@@ -138,6 +138,7 @@ Patch1008: CVE-2025-2295.patch
 Patch1009: CVE-2025-68160.patch
 Patch1010: CVE-2025-69418.patch
 Patch1011: CVE-2026-22796.patch
+Patch1012: CVE-2026-22795.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -721,6 +722,9 @@ $tests_ok
 
 
 %changelog
+* Fri Feb 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20230301gitf80f052277c8-47
+- Patch for CVE-2026-22795
+
 * Mon Feb 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20230301gitf80f052277c8-46
 - Patch for CVE-2026-22796, CVE-2025-69418, CVE-2025-68160