CVE-2026-28390
Description
Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.
Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.
When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.
Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Affected products
1Patches
501194a8f19412e39b7a6993baf2a5fecd3e7ea7b4ea4f9f8fd2f1a6cf53bVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bcnvdPatch
- github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6nvdPatch
- github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4nvdPatch
- github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788nvdPatch
- github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75nvdPatch
- openssl-library.org/news/secadv/20260407.txtnvdVendor Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
- cert-portal.siemens.com/productcert/html/ssa-265688.htmlnvd
News mentions
14- Debian 13.5 point release lands with security fixes, bug patchesHelp Net Security · May 17, 2026
- New critical Exim mailer flaw allows remote code executionBleepingComputer · May 13, 2026
- New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code ExecutionThe Hacker News · May 12, 2026
- From Stuxnet to ChatGPT: 20 News Events That Shaped CyberDark Reading · May 6, 2026
- Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them?The Hacker News · Apr 23, 2026
- China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go BackdoorsThe Hacker News · Apr 23, 2026
- GopherWhisper: A burrow full of malwareESET WeLiveSecurity · Apr 23, 2026
- Kyber Ransomware Double Trouble: Windows and ESXi Attacks ExplainedRapid7 Blog · Apr 21, 2026
- ZDI-26-281: Microsoft vcpkg OpenSSL Uncontrolled Search Path Element Local Privilege Escalation VulnerabilityZero Day Initiative · Apr 15, 2026
- ZDI-26-215: KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation VulnerabilityZero Day Initiative · Mar 16, 2026
- ZDI-26-132: Siemens SINEC NMS Uncontrolled Search Path Element Local Privilege Escalation VulnerabilityZero Day Initiative · Feb 25, 2026
- ZDI-26-131: Siemens SINEC NMS Uncontrolled Search Path Element Local Privilege Escalation VulnerabilityZero Day Initiative · Feb 25, 2026
- Siemens SIMATICCISA Alerts
- Siemens SCALANCECISA Alerts