AES-CFB128 Encryption Vulnerability in OpenSSL FIPS Module
CVE-2026-28386

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
7 April 2026

What is CVE-2026-28386?

The vulnerability occurs in applications employing AES-CFB128 encryption or decryption on x86-64 systems equipped with AVX-512 and VAES instruction support. It can lead to an out-of-bounds read of up to 15 bytes during the processing of partial cipher blocks. If the input buffer ends at a memory page boundary with the next page unmapped, it may result in a crash, effectively causing a Denial of Service for the application. Notably, the vulnerability does not involve any information disclosure since the over-read bytes are not outputted. This issue primarily arises in scenarios where the processing includes incomplete cipher blocks, rather than during standard operational functions.

Affected Version(s)

OpenSSL 3.6.0 < 3.6.2

References

https://openssl-library.org/news/secadv/20260407.txt
vendor-advisory
https://github.com/openssl/openssl/commit/61f428a2fc6671e...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Fort (Aisle Research)
Pavel Kohout (Aisle Research)
Alex Gaynor (Anthropic)
Stanislav Fort (Aisle Research)
Pavel Kohout (Aisle Research)
Alex Gaynor (Anthropic)
.