NULL Pointer Dereference Vulnerability in OpenSSL Affected CMS Processing
CVE-2026-28389

7.5HIGH

Key Information:

Vendor: OpenSSL
Status: OpenSSL
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-28389?

This vulnerability occurs when a crafted CMS EnvelopedData message using KeyAgreeRecipientInfo is processed, leading to a NULL pointer dereference due to the improper handling of optional parameters. As a result, applications may experience crashes during processing of attacker-controlled CMS data, potentially causing a Denial of Service. This issue underscores the importance of input validation in cryptographic operations to prevent untrusted input from compromising application stability.

Affected Version(s)

OpenSSL 3.6.0 < 3.6.2

OpenSSL 3.5.0 < 3.5.6

OpenSSL 3.4.0 < 3.4.5

References

https://openssl-library.org/news/secadv/20260407.txt

vendor-advisory

https://github.com/openssl/openssl/commit/f80f83bc5fd036b...

patch

https://github.com/openssl/openssl/commit/16cea4188e0ea56...

patch

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Feb 27, 2026

Credit

Nathan Sportsman (Praetorian)

Daniel Rhea

Jaeho Nam (Seoul National University)

Muhammad Daffa

Zhanpeng Liu (Tencent Xuanwu Lab)

Guannan Wang (Tencent Xuanwu Lab)

Guancheng Li (Tencent Xuanwu Lab)

Joshua Rogers

Neil Horman

CVE-2026-28389 Data

JSON