{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28390", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "state": "PUBLISHED", "assignerShortName": "openssl", "dateReserved": "2026-02-27T13:45:02.161Z", "datePublished": "2026-04-07T22:00:54.172Z", "dateUpdated": "2026-04-07T22:00:54.172Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSL", "vendor": "OpenSSL", "versions": [{"lessThan": "3.6.2", "status": "affected", "version": "3.6.0", "versionType": "semver"}, {"lessThan": "3.5.6", "status": "affected", "version": "3.5.0", "versionType": "semver"}, {"lessThan": "3.4.5", "status": "affected", "version": "3.4.0", "versionType": "semver"}, {"lessThan": "3.3.7", "status": "affected", "version": "3.3.0", "versionType": "semver"}, {"lessThan": "3.0.20", "status": "affected", "version": "3.0.0", "versionType": "semver"}, {"lessThan": "1.1.1zg", "status": "affected", "version": "1.1.1", "versionType": "custom"}, {"lessThan": "1.0.2zp", "status": "affected", "version": "1.0.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Muhammad Daffa"}, {"lang": "en", "type": "reporter", "value": "Zhanpeng Liu (Tencent Xuanwu Lab)"}, {"lang": "en", "type": "reporter", "value": "Guannan Wang (Tencent Xuanwu Lab)"}, {"lang": "en", "type": "reporter", "value": "Guancheng Li (Tencent Xuanwu Lab)"}, {"lang": "en", "type": "reporter", "value": "Joshua Rogers"}, {"lang": "en", "type": "reporter", "value": "Chanho Kim"}, {"lang": "en", "type": "remediation developer", "value": "Neil Horman"}], "datePublic": "2026-04-07T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Issue summary: During processing of a crafted CMS EnvelopedData message<br>with KeyTransportRecipientInfo a NULL pointer dereference can happen.<br><br>Impact summary: Applications that process attacker-controlled CMS data may<br>crash before authentication or cryptographic operations occur resulting in<br>Denial of Service.<br><br>When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with<br>RSA-OAEP encryption is processed, the optional parameters field of<br>RSA-OAEP SourceFunc algorithm identifier is examined without checking<br>for its presence. This results in a NULL pointer dereference if the field<br>is missing.<br><br>Applications and services that call CMS_decrypt() on untrusted input<br>(e.g., S/MIME processing or CMS-based protocols) are vulnerable.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br>issue, as the affected code is outside the OpenSSL FIPS module boundary."}], "value": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}], "metrics": [{"format": "other", "other": {"content": {"text": "Low"}, "type": "https://openssl-library.org/policies/general/security-policy/"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2026-04-07T22:00:54.172Z"}, "references": [{"name": "OpenSSL Advisory", "tags": ["vendor-advisory"], "url": "https://openssl-library.org/news/secadv/20260407.txt"}, {"name": "3.6.2 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc"}, {"name": "3.5.6 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6"}, {"name": "3.4.5 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788"}, {"name": "3.3.7 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75"}, {"name": "3.0.20 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4"}], "source": {"discovery": "UNKNOWN"}, "title": "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}], "id": "CVE-2026-28390", "lastModified": "2026-04-07T22:16:21.190", "metrics": {}, "published": "2026-04-07T22:16:21.190", "references": [{"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75"}, {"source": "openssl-security@openssl.org", "url": "https://openssl-library.org/news/secadv/20260407.txt"}], "sourceIdentifier": "openssl-security@openssl.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "openssl-security@openssl.org", "type": "Secondary"}]}

{}

{}