CVE-2026-28389
Published: 07 April 2026
Description
Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When…
more
a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the NULL pointer dereference in OpenSSL by requiring timely application of vendor patches to vulnerable versions.
Requires applications processing untrusted CMS EnvelopedData to handle missing optional parameters gracefully without crashing.
Mandates validation of attacker-controlled CMS inputs to reject crafted KeyAgreeRecipientInfo messages lacking required fields.
Security SummaryAI
CVE-2026-28389 is a NULL pointer dereference vulnerability in the OpenSSL cryptographic library. The issue arises during processing of a crafted CMS EnvelopedData message that uses KeyAgreeRecipientInfo, where the optional parameters field of the KeyEncryptionAlgorithmIdentifier is examined without first checking for its presence, resulting in a crash if the field is absent. Applications and services that invoke CMS_decrypt() on untrusted input, such as those involved in S/MIME processing or CMS-based protocols, are affected. OpenSSL FIPS modules in versions 3.6, 3.5, 3.4, 3.3, and 3.0 are not vulnerable, as the affected code lies outside the FIPS module boundary. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-476.
A network-accessible attacker can exploit this vulnerability by supplying a maliciously crafted CMS EnvelopedData message to a vulnerable application. No privileges, authentication, or user interaction are required. Exploitation triggers a denial of service condition, causing the application to crash before any authentication or cryptographic operations can occur.
OpenSSL has addressed the vulnerability through fixes in their GitHub repository, including commits 16cea4188e0ea567deb4f93f85902247e67384f5, 785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616, 7b5274e812400cacb6f3be4c2df5340923fa807f, c6725634e089eb2b634b10ede33944be7248172a, and f80f83bc5fd036bc47d773e8b15a001e2b4ce686. Security practitioners should update to patched OpenSSL versions incorporating these changes.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in OpenSSL CMS processing allows unauthenticated remote attacker to supply crafted EnvelopedData causing application crash/DoS; directly matches Application or System Exploitation sub-technique under Endpoint Denial of Service.