CVE-2026-28389

EUVD-2026-19965
Issue summary: During processing of a crafted CMS EnvelopedData message
with KeyAgreeRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of Service.

When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is
processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier
is examined without checking for its presence. This results in a NULL
pointer dereference if the field is missing.

Applications and services that call CMS_decrypt() on untrusted input
(e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
Affected Products (NVD)
VendorProductVersion
opensslopenssl
1.0.2 ≤
𝑥
< 1.0.2zp
opensslopenssl
1.1.1 ≤
𝑥
< 1.1.1zg
opensslopenssl
3.0.0 ≤
𝑥
< 3.0.20
opensslopenssl
3.3.0 ≤
𝑥
< 3.3.7
opensslopenssl
3.4.0 ≤
𝑥
< 3.4.5
opensslopenssl
3.5.0 ≤
𝑥
< 3.5.6
opensslopenssl
3.6.0 ≤
𝑥
< 3.6.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
SiemensSIMATIC CN 4100
𝑥
< V5.0
ADP
SiemensSIMATIC S7-1500 TM MFP - GNU\/Linux subsystem
𝑥
< *
ADP
Debian logo
Debian Releases
Debian Product
Codename
openssl
bookworm
3.0.20-1~deb12u1
fixed
bookworm (security)
3.0.19-1~deb12u2
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
forky
3.6.2-1
fixed
sid
3.6.2-1
fixed
trixie
3.5.6-1~deb13u1
fixed
trixie (security)
3.5.5-1~deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssl
bionic
Fixed 1.1.1-1ubuntu2.1~18.04.23+esm8
released
focal
Fixed 1.1.1f-1ubuntu2.24+esm3
released
jammy
Fixed 3.0.2-0ubuntu1.23
released
noble
Fixed 3.0.13-0ubuntu3.9
released
questing
Fixed 3.5.3-1ubuntu3.3
released
resolute
Fixed 3.5.5-1ubuntu3
released
trusty
not-affected
xenial
Fixed 1.0.2g-1ubuntu4.20+esm15
released
openssl-fips
jammy
dne
noble
dne
questing
dne
resolute
dne
openssl1.0
bionic
Fixed 1.0.2n-1ubuntu5.13+esm4
released
jammy
dne
noble
dne
questing
dne
resolute
dne
nodejs
bionic
needs-triage
focal
not-affected
jammy
needed
noble
not-affected
questing
not-affected
resolute
not-affected
trusty
not-affected
xenial
ignored
edk2
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
xenial
ignored
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libopenssl-3-devel
suse enterprise desktop 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.81.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.60.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.45.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.31.1
fixed
libopenssl-3-fips-provider
suse enterprise desktop 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.45.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.31.1
fixed
libopenssl-3-fips-provider-32bit
suse enterprise desktop 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.45.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.31.1
fixed
libopenssl3
suse enterprise desktop 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.81.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.60.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.45.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.31.1
fixed
libopenssl3-32bit
suse enterprise desktop 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.45.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.31.1
fixed
openssl-3
suse enterprise desktop 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.31.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.81.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.60.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.45.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.31.1
fixed
Common Weakness Enumeration
References
https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5
https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616
https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f
https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a
https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686
https://openssl-library.org/news/secadv/20260407.txt
https://cert-portal.siemens.com/productcert/html/ssa-032379.html
https://cert-portal.siemens.com/productcert/html/ssa-265688.html