Denial of Service Vulnerability in OpenSSL Affecting RSA-OAEP Encryption
CVE-2026-28390

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
7 April 2026

What is CVE-2026-28390?

A vulnerability exists in OpenSSL where processing a specially crafted CMS EnvelopedData message using KeyTransportRecipientInfo can lead to a NULL pointer dereference. This occurs when the parameters field of the RSA-OAEP algorithm identifier is checked without ensuring its presence, causing applications that handle untrusted CMS data to crash. The vulnerability particularly affects applications invoking CMS_decrypt() on malicious input, potentially resulting in Denial of Service before any authentication or cryptographic operations can take place. The FIPS modules in versions 3.6, 3.5, 3.4, 3.3, and 3.0 remain unaffected by this issue.

Affected Version(s)

OpenSSL 3.6.0 < 3.6.2

OpenSSL 3.5.0 < 3.5.6

OpenSSL 3.4.0 < 3.4.5

References

https://openssl-library.org/news/secadv/20260407.txt
vendor-advisory
https://github.com/openssl/openssl/commit/01194a8f1941115...
patch
https://github.com/openssl/openssl/commit/2e39b7a6993be44...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Daffa
Zhanpeng Liu (Tencent Xuanwu Lab)
Guannan Wang (Tencent Xuanwu Lab)
Guancheng Li (Tencent Xuanwu Lab)
Joshua Rogers
Chanho Kim
Neil Horman
.