NULL Pointer Dereference Vulnerability in OpenSSL Affected CMS Processing
CVE-2026-28389

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
7 April 2026

What is CVE-2026-28389?

This vulnerability occurs when a crafted CMS EnvelopedData message using KeyAgreeRecipientInfo is processed, leading to a NULL pointer dereference due to the improper handling of optional parameters. As a result, applications may experience crashes during processing of attacker-controlled CMS data, potentially causing a Denial of Service. This issue underscores the importance of input validation in cryptographic operations to prevent untrusted input from compromising application stability.

Affected Version(s)

OpenSSL 3.6.0 < 3.6.2

OpenSSL 3.5.0 < 3.5.6

OpenSSL 3.4.0 < 3.4.5

References

https://openssl-library.org/news/secadv/20260407.txt
vendor-advisory
https://github.com/openssl/openssl/commit/f80f83bc5fd036b...
patch
https://github.com/openssl/openssl/commit/16cea4188e0ea56...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nathan Sportsman (Praetorian)
Daniel Rhea
Jaeho Nam (Seoul National University)
Muhammad Daffa
Zhanpeng Liu (Tencent Xuanwu Lab)
Guannan Wang (Tencent Xuanwu Lab)
Guancheng Li (Tencent Xuanwu Lab)
Joshua Rogers
Neil Horman
.