{"api_version":"1","generated_at":"2026-04-10T06:33:14+00:00","cve":"CVE-2026-28389","urls":{"html":"https://cve.report/CVE-2026-28389","api":"https://cve.report/api/cve/CVE-2026-28389.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-28389","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-28389"},"summary":{"title":"Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo","description":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","state":"PUBLISHED","assigner":"openssl","published_at":"2026-04-07 22:16:21","updated_at":"2026-04-08 21:27:00"},"problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":[],"references":[{"url":"https://openssl-library.org/news/secadv/20260407.txt","name":"https://openssl-library.org/news/secadv/20260407.txt","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5","name":"https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616","name":"https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686","name":"https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f","name":"https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a","name":"https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-28389","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28389","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.6.0 3.6.2 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.5.0 3.5.6 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.4.0 3.4.5 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.3.0 3.3.7 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.0.0 3.0.20 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 1.1.1 1.1.1zg custom","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 1.0.2 1.0.2zp custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Nathan Sportsman (Praetorian)","lang":"en"},{"source":"CNA","value":"Daniel Rhea","lang":"en"},{"source":"CNA","value":"Jaeho Nam (Seoul National University)","lang":"en"},{"source":"CNA","value":"Muhammad Daffa","lang":"en"},{"source":"CNA","value":"Zhanpeng Liu (Tencent Xuanwu Lab)","lang":"en"},{"source":"CNA","value":"Guannan Wang (Tencent Xuanwu Lab)","lang":"en"},{"source":"CNA","value":"Guancheng Li (Tencent Xuanwu Lab)","lang":"en"},{"source":"CNA","value":"Joshua Rogers","lang":"en"},{"source":"CNA","value":"Neil Horman","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"28389","cve":"CVE-2026-28389","epss":"0.000290000","percentile":"0.084220000","score_date":"2026-04-09","updated_at":"2026-04-10 00:07:02"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"OpenSSL","vendor":"OpenSSL","versions":[{"lessThan":"3.6.2","status":"affected","version":"3.6.0","versionType":"semver"},{"lessThan":"3.5.6","status":"affected","version":"3.5.0","versionType":"semver"},{"lessThan":"3.4.5","status":"affected","version":"3.4.0","versionType":"semver"},{"lessThan":"3.3.7","status":"affected","version":"3.3.0","versionType":"semver"},{"lessThan":"3.0.20","status":"affected","version":"3.0.0","versionType":"semver"},{"lessThan":"1.1.1zg","status":"affected","version":"1.1.1","versionType":"custom"},{"lessThan":"1.0.2zp","status":"affected","version":"1.0.2","versionType":"custom"}]}],"credits":[{"lang":"en","type":"reporter","value":"Nathan Sportsman (Praetorian)"},{"lang":"en","type":"reporter","value":"Daniel Rhea"},{"lang":"en","type":"reporter","value":"Jaeho Nam (Seoul National University)"},{"lang":"en","type":"reporter","value":"Muhammad Daffa"},{"lang":"en","type":"reporter","value":"Zhanpeng Liu (Tencent Xuanwu Lab)"},{"lang":"en","type":"reporter","value":"Guannan Wang (Tencent Xuanwu Lab)"},{"lang":"en","type":"reporter","value":"Guancheng Li (Tencent Xuanwu Lab)"},{"lang":"en","type":"reporter","value":"Joshua Rogers"},{"lang":"en","type":"remediation developer","value":"Neil Horman"}],"datePublic":"2026-04-07T14:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Issue summary: During processing of a crafted CMS EnvelopedData message<br>with KeyAgreeRecipientInfo a NULL pointer dereference can happen.<br><br>Impact summary: Applications that process attacker-controlled CMS data may<br>crash before authentication or cryptographic operations occur resulting in<br>Denial of Service.<br><br>When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is<br>processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier<br>is examined without checking for its presence. This results in a NULL<br>pointer dereference if the field is missing.<br><br>Applications and services that call CMS_decrypt() on untrusted input<br>(e.g., S/MIME processing or CMS-based protocols) are vulnerable.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br>issue, as the affected code is outside the OpenSSL FIPS module boundary."}],"value":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}],"metrics":[{"format":"other","other":{"content":{"text":"Low"},"type":"https://openssl-library.org/policies/general/security-policy/"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-07T22:00:53.364Z","orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl"},"references":[{"name":"OpenSSL Advisory","tags":["vendor-advisory"],"url":"https://openssl-library.org/news/secadv/20260407.txt"},{"name":"3.6.2 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686"},{"name":"3.5.6 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5"},{"name":"3.4.5 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616"},{"name":"3.3.7 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a"},{"name":"3.0.20 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f"}],"source":{"discovery":"UNKNOWN"},"title":"Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","assignerShortName":"openssl","cveId":"CVE-2026-28389","datePublished":"2026-04-07T22:00:53.364Z","dateReserved":"2026-02-27T13:45:02.161Z","dateUpdated":"2026-04-07T22:00:53.364Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-07 22:16:21","lastModifiedDate":"2026-04-08 21:27:00","problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"28389","Ordinal":"1","Title":"Possible NULL Dereference When Processing CMS KeyAgreeRecipientI","CVE":"CVE-2026-28389","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"28389","Ordinal":"1","NoteData":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","Type":"Description","Title":"Possible NULL Dereference When Processing CMS KeyAgreeRecipientI"}]}}}