2456314 – (CVE-2026-28390) CVE-2026-28390 openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing

Bug 2456314 (CVE-2026-28390) - CVE-2026-28390 openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing

Summary: CVE-2026-28390 openssl: OpenSSL: Denial of Service due to NULL pointer derefe...

Keywords:
Status:	NEW
Alias:	CVE-2026-28390
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2456409 2456412 2456413 2456414 2456416 2456417 2456418 2456420 2456421 2456422 2456424 2456425 2456426 2456427 2456429 2456430 2456431 2456432 2456433 2456435 2456436 2456437 2456442 2456443 2456444 2456445 2456447 2456448 2456449 2456450 2456452 2456453 2456454 2456456 2456457 2456459 2456460 2456463 2456464 2456465 2456466 2456468 2456470 2456471 2456472 2456477 2456478 2456479 2456480 2456481 2456410 2456411 2456415 2456419 2456423 2456428 2456434 2456438 2456439 2456440 2456441 2456446 2456451 2456455 2456458 2456461 2456462 2456467 2456469 2456473 2456474 2456475 2456476
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-07 23:01 UTC by OSIDB Bzimport
Modified:	2026-04-24 15:20 UTC (History)
CC List:	89 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-07 23:01:41 UTC

Issue summary: During processing of a crafted CMS EnvelopedData message
with KeyTransportRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of Service.

When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with
RSA-OAEP encryption is processed, the optional parameters field of
RSA-OAEP SourceFunc algorithm identifier is examined without checking
for its presence. This results in a NULL pointer dereference if the field
is missing.

Applications and services that call CMS_decrypt() on untrusted input
(e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.

Note You need to log in before you can comment on or make changes to this bug.

aadhikar
adudiak
akostadi
amasferr
anpicker
anthomas
bdettelb
bparees
brasmith
bsmejkal
cochase
crizzo
csutherl
dbosanac
derez
dmayorov
doconnor
dranck
dschmidt
eborisov
ebourniv
ehelms
erezende
eshamard
ggainey
gotiwari
hasun
jachapma
jcantril
jclere
jfula
jgrulich
jhorak
jkoehler
jlanda
jlledo
jmitchel
jowilson
jreimann
juwatts
jvasik
kaycoth
kshier
lball
lgallett
lphiri
mdessi
mhulan
mreynolds
mrizzi
mvyas
ngough
nmoumoul
nyancey
ometelka
osousa
pantinor
pbohmill
pcattana
pcreech
pjindal
plodge
progier
ptisnovs
rblanco
rchan
rhel-process-autobot
rjohnson
rojacob
sbunciak
simaishi
smallamp
smcdonal
snegrini
spichugi
stcannon
syedriko
szappis
tbordaz
teagle
tmalecek
tpopela
tsedmik
vashirov
vchlup
veshanka
watson-tool-maintainers
xdharmai
yguenane