CVE-2026-28389

CVE-2026-28389

Name

CVE-2026-28389

Description

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686
openssl-security@openssl.org	https://openssl-library.org/news/secadv/20260407.txt
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	https://cert-portal.siemens.com/productcert/html/ssa-032379.html
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	https://cert-portal.siemens.com/productcert/html/ssa-265688.html

Type

URI

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686

openssl-security@openssl.org

https://openssl-library.org/news/secadv/20260407.txt

0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

https://cert-portal.siemens.com/productcert/html/ssa-032379.html

0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

https://cert-portal.siemens.com/productcert/html/ssa-265688.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:openssl:openssl::::::::`	openssl	>= 1.0.2	< 1.0.2zp
`cpe:2.3:a:openssl:openssl::::::::`	openssl	>= 1.1.1	< 1.1.1zg
`cpe:2.3:a:openssl:openssl::::::::`	openssl	>= 3.0.0	< 3.0.20
`cpe:2.3:a:openssl:openssl::::::::`	openssl	>= 3.3.0	< 3.3.7
`cpe:2.3:a:openssl:openssl::::::::`	openssl	>= 3.4.0	< 3.4.5
`cpe:2.3:a:openssl:openssl::::::::`	openssl	>= 3.5.0	< 3.5.6
`cpe:2.3:a:openssl:openssl::::::::`	openssl	>= 3.6.0	< 3.6.2

CPE URI

Source package

Min version

Max version