CVE-2026-28389

EUVD-2026-19965

07.04.2026, 22:16

Issue summary: During processing of a crafted CMS EnvelopedData message
with KeyAgreeRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of Service.

When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is
processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier
is examined without checking for its presence. This results in a NULL
pointer dereference if the field is missing.

Applications and services that call CMS_decrypt() on untrusted input
(e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the affected code is outside the OpenSSL FIPS module boundary.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
openssl	CNA	UNKNOWN				---

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
openssl	openssl	3.6.0 ≤ 𝑥 < 3.6.2	CNA
openssl	openssl	3.5.0 ≤ 𝑥 < 3.5.6	CNA
openssl	openssl	3.4.0 ≤ 𝑥 < 3.4.5	CNA
openssl	openssl	3.3.0 ≤ 𝑥 < 3.3.7	CNA
openssl	openssl	3.0.0 ≤ 𝑥 < 3.0.20	CNA

Debian Releases

Debian Product

Codename

openssl

bookworm	vulnerable
bookworm (security)	3.0.19-1~deb12u2 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable
trixie (security)	3.5.5-1~deb13u2 fixed

Ubuntu Releases

Ubuntu Product

Codename

openssl

bionic	needed
focal	needed
jammy	Fixed 3.0.2-0ubuntu1.23 released
noble	Fixed 3.0.13-0ubuntu3.9 released
questing	Fixed 3.5.3-1ubuntu3.3 released
trusty	not-affected
xenial	needed

openssl-fips

jammy	dne
noble	dne
questing	dne

openssl1.0

bionic	needed
jammy	dne
noble	dne
questing	dne

nodejs

bionic	needs-triage
focal	not-affected
jammy	needed
noble	not-affected
questing	not-affected
trusty	not-affected
xenial	needs-triage

edk2

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5

https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616

https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f

https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a

https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686

https://openssl-library.org/news/secadv/20260407.txt