Bug 2456314 (CVE-2026-28390)

Summary: CVE-2026-28390 openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aadhikar, akostadi, amasferr, anpicker, anthomas, bdettelb, bparees, brasmith, bsmejkal, cochase, crizzo, csutherl, dbosanac, derez, dmayorov, doconnor, dranck, dschmidt, eborisov, ebourniv, ehelms, erezende, eshamard, ggainey, gotiwari, hasun, jachapma, jcantril, jclere, jfula, jgrulich, jhorak, jkoehler, jlanda, jlledo, jmitchel, jowilson, jreimann, juwatts, jvasik, kaycoth, kshier, lball, lgallett, lphiri, mdessi, mhulan, mreynolds, mrizzi, mvyas, ngough, nmoumoul, nyancey, ometelka, osousa, pantinor, pbohmill, pcattana, pcreech, pjindal, plodge, progier, ptisnovs, rblanco, rchan, rhel-process-autobot, rjohnson, rojacob, sbunciak, simaishi, smallamp, smcdonal, snegrini, spichugi, stcannon, syedriko, szappis, tbordaz, teagle, tmalecek, tpopela, tsedmik, vashirov, vchlup, veshanka, watson-tool-maintainers, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in OpenSSL. A remote attacker could exploit this vulnerability by sending a specially crafted Cryptographic Message Syntax (CMS) EnvelopedData message. During the processing of a KeyTransportRecipientInfo with RSA-OAEP encryption, the system attempts to access an optional parameter field without first verifying its presence. This leads to a NULL pointer dereference, which can cause applications processing the attacker-controlled CMS data to crash, resulting in a Denial of Service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2456409, 2456412, 2456413, 2456414, 2456416, 2456417, 2456418, 2456420, 2456421, 2456422, 2456424, 2456425, 2456426, 2456427, 2456429, 2456430, 2456432, 2456433, 2456435, 2456436, 2456437, 2456442, 2456443, 2456444, 2456447, 2456448, 2456449, 2456450, 2456452, 2456453, 2456454, 2456456, 2456457, 2456459, 2456460, 2456463, 2456464, 2456468, 2456470, 2456471, 2456472, 2456477, 2456478, 2456479, 2456480, 2456481, 2456410, 2456411, 2456415, 2456419, 2456423, 2456428, 2456431, 2456434, 2456438, 2456439, 2456440, 2456441, 2456445, 2456446, 2456451, 2456455, 2456458, 2456461, 2456462, 2456465, 2456466, 2456467, 2456469, 2456473, 2456474, 2456475, 2456476    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-07 23:01:41 UTC 
Issue summary: During processing of a crafted CMS EnvelopedData message
with KeyTransportRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of Service.

When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with
RSA-OAEP encryption is processed, the optional parameters field of
RSA-OAEP SourceFunc algorithm identifier is examined without checking
for its presence. This results in a NULL pointer dereference if the field
is missing.

Applications and services that call CMS_decrypt() on untrusted input
(e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Comment 2 errata-xmlrpc 2026-06-01 13:12:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:22315 https://access.redhat.com/errata/RHSA-2026:22315
Comment 3 errata-xmlrpc 2026-06-01 13:12:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:22313 https://access.redhat.com/errata/RHSA-2026:22313
Comment 4 errata-xmlrpc 2026-06-01 13:21:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22314 https://access.redhat.com/errata/RHSA-2026:22314
Comment 5 errata-xmlrpc 2026-06-01 13:43:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:22312 https://access.redhat.com/errata/RHSA-2026:22312