OpenSSL Vulnerability: Null Pointer Dereference Leads to DoS

/HIGH
SCW vulnerabilitycveidentity
OpenSSL Vulnerability: Null Pointer Dereference Leads to DoS

CVE Notify is flagging a critical vulnerability, CVE-2026-28390, lurking within OpenSSL. The issue stems from how the software handles crafted CMS EnvelopedData messages, specifically those employing KeyTransportRecipientInfo. According to CVE Notify, when processing these messages with RSA-OAEP encryption, OpenSSL fails to check for the presence of an optional parameters field. This oversight can lead to a NULL pointer dereference, a classic bug that can bring down an application.

The impact here is pretty straightforward: Denial of Service. Applications that accept and process attacker-controlled CMS data, especially those involved in S/MIME processing or other CMS-based protocols, could be knocked offline before any authentication or crypto even kicks in. This is a nasty one because it hits early in the processing chain, potentially before defenses are even engaged. It’s worth noting that CVE Notify points out that OpenSSL’s FIPS modules versions 3.0 through 3.6 are not affected, as the vulnerable code resides outside that specific module’s boundary.

What This Means For You

  • Review your application's dependencies on OpenSSL and confirm that any code processing untrusted CMS data is patched or updated, particularly if it's not utilizing the FIPS modules.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1499 Endpoint Denial of Service Impact

Indicators of Compromise

IDTypeIndicator
CVE-2026-28390 DoS OpenSSL versions prior to 3.0.12, 3.1.4, 3.2.0. Vulnerable component: CMS_decrypt() function. Vulnerability occurs when processing crafted CMS EnvelopedData messages with KeyTransportRecipientInfo and RSA-OAEP encryption where the optional parameters field is missing, leading to a NULL pointer dereference.
CVE-2026-28390 Memory Corruption OpenSSL versions prior to 3.0.12, 3.1.4, 3.2.0. Vulnerable component: CMS_decrypt() function. Vulnerability occurs when processing crafted CMS EnvelopedData messages with KeyTransportRecipientInfo and RSA-OAEP encryption where the optional parameters field is missing, leading to a NULL pointer dereference.
CVE-2026-28390 Misconfiguration OpenSSL versions prior to 3.0.12, 3.1.4, 3.2.0. Vulnerable component: CMS_decrypt() function. Vulnerability occurs when processing crafted CMS EnvelopedData messages with KeyTransportRecipientInfo and RSA-OAEP encryption where the optional parameters field is missing, leading to a NULL pointer dereference.

By Shimi's Cyber World Editorial

🛠 Recommended Tools

NordVPN Protect your research traffic. Threat protection included.
Our Pick
Proton VPN Secure Core routes traffic through Switzerland, Iceland, and Sweden first.
Recommended
Surfshark Unlimited devices for your security lab. VPN + malware blocker.
Great Value
🛡️
Want the IOCs from this threat? Get structured IOC exports and weekly threat briefs — delivered instantly to your Telegram.
Get My Intel →

Found this interesting? Follow us to stay ahead.

Telegram Channel Follow Shimi Cohen Follow Shimi's Cyber World
Share
LinkedIn WhatsApp Reddit