OpenSSL Vulnerability: Null Pointer Dereference Leads to DoS
CVE Notify is flagging a critical vulnerability, CVE-2026-28390, lurking within OpenSSL. The issue stems from how the software handles crafted CMS EnvelopedData messages, specifically those employing KeyTransportRecipientInfo. According to CVE Notify, when processing these messages with RSA-OAEP encryption, OpenSSL fails to check for the presence of an optional parameters field. This oversight can lead to a NULL pointer dereference, a classic bug that can bring down an application.
The impact here is pretty straightforward: Denial of Service. Applications that accept and process attacker-controlled CMS data, especially those involved in S/MIME processing or other CMS-based protocols, could be knocked offline before any authentication or crypto even kicks in. This is a nasty one because it hits early in the processing chain, potentially before defenses are even engaged. It’s worth noting that CVE Notify points out that OpenSSL’s FIPS modules versions 3.0 through 3.6 are not affected, as the vulnerable code resides outside that specific module’s boundary.
What This Means For You
- Review your application's dependencies on OpenSSL and confirm that any code processing untrusted CMS data is patched or updated, particularly if it's not utilizing the FIPS modules.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.
Web Application Exploitation Attempt — CVE-2026-28390
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-28390 | DoS | OpenSSL versions prior to 3.0.12, 3.1.4, 3.2.0. Vulnerable component: CMS_decrypt() function. Vulnerability occurs when processing crafted CMS EnvelopedData messages with KeyTransportRecipientInfo and RSA-OAEP encryption where the optional parameters field is missing, leading to a NULL pointer dereference. |
| CVE-2026-28390 | Memory Corruption | OpenSSL versions prior to 3.0.12, 3.1.4, 3.2.0. Vulnerable component: CMS_decrypt() function. Vulnerability occurs when processing crafted CMS EnvelopedData messages with KeyTransportRecipientInfo and RSA-OAEP encryption where the optional parameters field is missing, leading to a NULL pointer dereference. |
| CVE-2026-28390 | Misconfiguration | OpenSSL versions prior to 3.0.12, 3.1.4, 3.2.0. Vulnerable component: CMS_decrypt() function. Vulnerability occurs when processing crafted CMS EnvelopedData messages with KeyTransportRecipientInfo and RSA-OAEP encryption where the optional parameters field is missing, leading to a NULL pointer dereference. |
Related coverage
Daily Security Digest — 2026-05-22
13 vulnerability disclosures (5 Critical, 8 High) and 14 curated intelligence stories from 6 sources.
Huawei Router Flaw Triggered Telecom Blackout, SecurityWeek Reports
SecurityWeek reports on a critical flaw in Huawei routers that led to a significant telecom blackout. While details are sparse, the incident underscores the inherent...
WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content
CVE-2026-9011 — The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...