AES-CFB128 Encryption Vulnerability in OpenSSL FIPS Module

CVE-2026-28386

What is CVE-2026-28386?

CVE-2026-28386 refers to a vulnerability identified in the OpenSSL FIPS module, specifically affecting the AES-CFB128 encryption method on x86-64 systems equipped with AVX-512 and VAES instruction support. This vulnerability could lead to an out-of-bounds read of up to 15 bytes when processing partial cipher blocks under certain conditions, primarily when the input buffer aligns with a memory page boundary and the subsequent page is not mapped. Consequently, the vulnerability can initiate a crash of the application, resulting in a Denial of Service (DoS) situation. Notably, data remains uncompromised, as there is no information leakage during the incident, but the availability of the application could be severely impacted. As the code path to exploit this vulnerability is narrowly defined, it primarily affects those specific systems using this outdated mode of encryption.

Potential impact of CVE-2026-28386

1. Denial of Service (DoS): The out-of-bounds read can lead applications to crash unexpectedly, thus preventing ongoing operations and service availability, which may impact users and business continuity.

2. Limited Exploitation Scope: The vulnerability's impact is restricted to systems that implement AES-CFB128 in a specific context and configuration (i.e., only those with AVX-512 and VAES support), which decreases the number of potentially affected applications but does highlight a specific risk for those configurations.

3. Lack of Significant Data Leakage: While the vulnerability does not lead to data breaches or unauthorized information access, the resulting disruptions could still have operational and financial consequences for organizations reliant on affected systems.

References