{"api_version":"1","generated_at":"2026-04-10T06:33:28+00:00","cve":"CVE-2026-28390","urls":{"html":"https://cve.report/CVE-2026-28390","api":"https://cve.report/api/cve/CVE-2026-28390.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-28390","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-28390"},"summary":{"title":"Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo","description":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","state":"PUBLISHED","assigner":"openssl","published_at":"2026-04-07 22:16:21","updated_at":"2026-04-08 21:27:00"},"problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":[],"references":[{"url":"https://openssl-library.org/news/secadv/20260407.txt","name":"https://openssl-library.org/news/secadv/20260407.txt","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc","name":"https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75","name":"https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6","name":"https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4","name":"https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788","name":"https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-28390","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28390","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.6.0 3.6.2 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.5.0 3.5.6 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.4.0 3.4.5 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.3.0 3.3.7 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.0.0 3.0.20 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 1.1.1 1.1.1zg custom","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 1.0.2 1.0.2zp custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Muhammad Daffa","lang":"en"},{"source":"CNA","value":"Zhanpeng Liu (Tencent Xuanwu Lab)","lang":"en"},{"source":"CNA","value":"Guannan Wang (Tencent Xuanwu Lab)","lang":"en"},{"source":"CNA","value":"Guancheng Li (Tencent Xuanwu Lab)","lang":"en"},{"source":"CNA","value":"Joshua Rogers","lang":"en"},{"source":"CNA","value":"Chanho Kim","lang":"en"},{"source":"CNA","value":"Neil Horman","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"28390","cve":"CVE-2026-28390","epss":"0.000290000","percentile":"0.084220000","score_date":"2026-04-09","updated_at":"2026-04-10 00:07:02"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"OpenSSL","vendor":"OpenSSL","versions":[{"lessThan":"3.6.2","status":"affected","version":"3.6.0","versionType":"semver"},{"lessThan":"3.5.6","status":"affected","version":"3.5.0","versionType":"semver"},{"lessThan":"3.4.5","status":"affected","version":"3.4.0","versionType":"semver"},{"lessThan":"3.3.7","status":"affected","version":"3.3.0","versionType":"semver"},{"lessThan":"3.0.20","status":"affected","version":"3.0.0","versionType":"semver"},{"lessThan":"1.1.1zg","status":"affected","version":"1.1.1","versionType":"custom"},{"lessThan":"1.0.2zp","status":"affected","version":"1.0.2","versionType":"custom"}]}],"credits":[{"lang":"en","type":"reporter","value":"Muhammad Daffa"},{"lang":"en","type":"reporter","value":"Zhanpeng Liu (Tencent Xuanwu Lab)"},{"lang":"en","type":"reporter","value":"Guannan Wang (Tencent Xuanwu Lab)"},{"lang":"en","type":"reporter","value":"Guancheng Li (Tencent Xuanwu Lab)"},{"lang":"en","type":"reporter","value":"Joshua Rogers"},{"lang":"en","type":"reporter","value":"Chanho Kim"},{"lang":"en","type":"remediation developer","value":"Neil Horman"}],"datePublic":"2026-04-07T14:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Issue summary: During processing of a crafted CMS EnvelopedData message<br>with KeyTransportRecipientInfo a NULL pointer dereference can happen.<br><br>Impact summary: Applications that process attacker-controlled CMS data may<br>crash before authentication or cryptographic operations occur resulting in<br>Denial of Service.<br><br>When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with<br>RSA-OAEP encryption is processed, the optional parameters field of<br>RSA-OAEP SourceFunc algorithm identifier is examined without checking<br>for its presence. This results in a NULL pointer dereference if the field<br>is missing.<br><br>Applications and services that call CMS_decrypt() on untrusted input<br>(e.g., S/MIME processing or CMS-based protocols) are vulnerable.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br>issue, as the affected code is outside the OpenSSL FIPS module boundary."}],"value":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}],"metrics":[{"format":"other","other":{"content":{"text":"Low"},"type":"https://openssl-library.org/policies/general/security-policy/"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-07T22:00:54.172Z","orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl"},"references":[{"name":"OpenSSL Advisory","tags":["vendor-advisory"],"url":"https://openssl-library.org/news/secadv/20260407.txt"},{"name":"3.6.2 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc"},{"name":"3.5.6 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6"},{"name":"3.4.5 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788"},{"name":"3.3.7 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75"},{"name":"3.0.20 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4"}],"source":{"discovery":"UNKNOWN"},"title":"Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","assignerShortName":"openssl","cveId":"CVE-2026-28390","datePublished":"2026-04-07T22:00:54.172Z","dateReserved":"2026-02-27T13:45:02.161Z","dateUpdated":"2026-04-07T22:00:54.172Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-07 22:16:21","lastModifiedDate":"2026-04-08 21:27:00","problem_types":["CWE-476","CWE-476 CWE-476 NULL Pointer Dereference"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"28390","Ordinal":"1","Title":"Possible NULL Dereference When Processing CMS KeyTransportRecipi","CVE":"CVE-2026-28390","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"28390","Ordinal":"1","NoteData":"Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary.","Type":"Description","Title":"Possible NULL Dereference When Processing CMS KeyTransportRecipi"}]}}}