Bug 2456314 (CVE-2026-28390) - CVE-2026-28390 openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
Summary: CVE-2026-28390 openssl: OpenSSL: Denial of Service due to NULL pointer derefe...
Keywords:
Status: NEW
Alias: CVE-2026-28390
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2456409 2456412 2456413 2456414 2456447 2456448 2456449 2456450 2456452 2456453 2456454 2456456 2456457 2456459 2456460 2456463 2456464 2456468 2456470 2456471 2456472 2456477 2456478 2456479 2456480 2456481 2456410 2456411 2456415 2456416 2456417 2456418 2456419 2456420 2456421 2456422 2456423 2456424 2456425 2456426 2456427 2456428 2456429 2456430 2456431 2456432 2456433 2456434 2456435 2456436 2456437 2456438 2456439 2456440 2456441 2456442 2456443 2456444 2456445 2456446 2456451 2456455 2456458 2456461 2456462 2456465 2456466 2456467 2456469 2456473 2456474 2456475 2456476
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-07 23:01 UTC by OSIDB Bzimport
Modified: 2026-06-02 08:28 UTC (History)
88 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:22312 0 None None None 2026-06-01 13:44:04 UTC
Red Hat Product Errata RHSA-2026:22313 0 None None None 2026-06-01 13:13:05 UTC
Red Hat Product Errata RHSA-2026:22314 0 None None None 2026-06-01 13:21:45 UTC
Red Hat Product Errata RHSA-2026:22315 0 None None None 2026-06-01 13:12:51 UTC

Description OSIDB Bzimport 2026-04-07 23:01:41 UTC 
Issue summary: During processing of a crafted CMS EnvelopedData message
with KeyTransportRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of Service.

When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with
RSA-OAEP encryption is processed, the optional parameters field of
RSA-OAEP SourceFunc algorithm identifier is examined without checking
for its presence. This results in a NULL pointer dereference if the field
is missing.

Applications and services that call CMS_decrypt() on untrusted input
(e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
Comment 2 errata-xmlrpc 2026-06-01 13:12:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:22315 https://access.redhat.com/errata/RHSA-2026:22315
Comment 3 errata-xmlrpc 2026-06-01 13:12:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:22313 https://access.redhat.com/errata/RHSA-2026:22313
Comment 4 errata-xmlrpc 2026-06-01 13:21:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22314 https://access.redhat.com/errata/RHSA-2026:22314
Comment 5 errata-xmlrpc 2026-06-01 13:43:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:22312 https://access.redhat.com/errata/RHSA-2026:22312
Note You need to log in before you can comment on or make changes to this bug.