CVE-2026-28389
- Source
- https://cve.org/CVERecord?id=CVE-2026-28389
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-28389.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-28389
- Downstream
- Related
- Published
- 2026-04-07T22:00:53.364Z
- Modified
- 2026-06-18T10:19:26.137806Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Possible NULL Dereference When Processing CMS KeyAgreeRecipientInfo
- Details
-
Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen.
Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.
When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.
Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
- Database specific
{ "cna_assigner": "openssl", "cwe_ids": [ "CWE-476" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28389.json" }- References
-
- https://cert-portal.siemens.com/productcert/html/ssa-032379.html
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28389.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-28389
- https://openssl-library.org/news/secadv/20260407.txt
- https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5
- https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616
- https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f
- https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a
- https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686
Affected packages
Git / github.com/openssl/openssl
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openssl/openssl
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedFixedFixedFixedFixedFixed
- Database specific
{ "source": [ "CPE_RANGE", "REFERENCES" ], "extracted_events": [ { "introduced": "1.0.2" }, { "fixed": "1.0.2zp" }, { "introduced": "1.1.1" }, { "fixed": "1.1.1zg" }, { "introduced": "3.0.0" }, { "fixed": "3.0.20" }, { "introduced": "3.3.0" }, { "fixed": "3.3.7" }, { "introduced": "3.4.0" }, { "fixed": "3.4.5" }, { "introduced": "3.5.0" }, { "fixed": "3.5.6" }, { "introduced": "3.6.0" }, { "fixed": "3.6.2" } ], "cpe": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*" }
Affected versions
3.*
3.0-POST-CLANG-FORMAT-WEBKIT
3.0-PRE-CLANG-FORMAT-WEBKIT
3.3-POST-CLANG-FORMAT-WEBKIT
3.3-PRE-CLANG-FORMAT-WEBKIT
3.4-POST-CLANG-FORMAT-WEBKIT
3.4-PRE-CLANG-FORMAT-WEBKIT
3.5-POST-CLANG-FORMAT-WEBKIT
3.5-PRE-CLANG-FORMAT-WEBKIT
3.6-POST-CLANG-FORMAT-WEBKIT
3.6-PRE-CLANG-FORMAT-WEBKIT
openssl-3.*
openssl-3.0.0
openssl-3.0.1
openssl-3.0.10
openssl-3.0.11
openssl-3.0.12
openssl-3.0.13
openssl-3.0.14
openssl-3.0.15
openssl-3.0.16
openssl-3.0.17
openssl-3.0.18
openssl-3.0.19
openssl-3.0.2
openssl-3.0.3
openssl-3.0.4
openssl-3.0.5
openssl-3.0.6
openssl-3.0.7
openssl-3.0.8
openssl-3.0.9
openssl-3.3.0
openssl-3.3.1
openssl-3.3.2
openssl-3.3.3
openssl-3.3.4
openssl-3.3.5
openssl-3.3.6
openssl-3.4.0
openssl-3.4.1
openssl-3.4.2
openssl-3.4.3
openssl-3.4.4
openssl-3.5.0
openssl-3.5.1
openssl-3.5.2
openssl-3.5.3
openssl-3.5.4
openssl-3.5.5
openssl-3.6.0
openssl-3.6.1
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5",
"target": {
"file": "crypto/cms/cms_ec.c",
"function": "ecdh_cms_set_shared_info"
},
"id": "CVE-2026-28389-08261dff",
"digest": {
"function_hash": "220212300272990662700643768678357463760",
"length": 1363.0
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616",
"target": {
"file": "crypto/cms/cms_dh.c"
},
"id": "CVE-2026-28389-1b1ca4d9",
"digest": {
"line_hashes": [
"35040822673859645981477916107913023139",
"93565823115982767152496764659501767766",
"241756499995554558550602367300017643700",
"191338120555964314917981441313617292316",
"147857528157518671552020408598352417501",
"191712768671169977210748902842933264345",
"285821873076905783592971116327398757227",
"206703883280606155502738453870378980881",
"335217870970338360093905925963042168197",
"276006600787294503462210323054236244571",
"86260100061005767582631828819609971143",
"319381704718689333317669133590605303938",
"256282953336782932349783315299183728680",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f",
"target": {
"file": "crypto/cms/cms_ec.c"
},
"id": "CVE-2026-28389-326533ff",
"digest": {
"line_hashes": [
"339574314018800471946332591302274221091",
"324373727784504944843233301225824637211",
"241756499995554558550602367300017643700",
"12521850379814007373532789688046211438",
"117342360621347706033129047703801997159",
"185292036368172262462097254932521310241",
"94190543996604676849176713917615421954",
"106863008812326076345685972430007566832",
"282378567138276691786629430182438473941",
"255116467245818032153320742923067490257",
"36986505605978595967335407833084821547",
"149880329217016635387887804450489765326",
"89860272611462147307771061494521213681",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f",
"target": {
"file": "crypto/cms/cms_ec.c",
"function": "ecdh_cms_set_shared_info"
},
"id": "CVE-2026-28389-33cf90c9",
"digest": {
"function_hash": "220212300272990662700643768678357463760",
"length": 1363.0
},
"deprecated": false
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f",
"target": {
"file": "crypto/cms/cms_dh.c",
"function": "dh_cms_set_shared_info"
},
"id": "CVE-2026-28389-4c6b9c04",
"digest": {
"function_hash": "85580592443376971564746879996092594480",
"length": 1634.0
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686",
"target": {
"file": "crypto/cms/cms_dh.c"
},
"id": "CVE-2026-28389-644f67bf",
"digest": {
"line_hashes": [
"158952456200596267618838350065954804513",
"93565823115982767152496764659501767766",
"241756499995554558550602367300017643700",
"191338120555964314917981441313617292316",
"147857528157518671552020408598352417501",
"191712768671169977210748902842933264345",
"285821873076905783592971116327398757227",
"206703883280606155502738453870378980881",
"335217870970338360093905925963042168197",
"276006600787294503462210323054236244571",
"86260100061005767582631828819609971143",
"319381704718689333317669133590605303938",
"256282953336782932349783315299183728680",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a",
"target": {
"file": "crypto/cms/cms_dh.c"
},
"id": "CVE-2026-28389-668111d0",
"digest": {
"line_hashes": [
"35040822673859645981477916107913023139",
"93565823115982767152496764659501767766",
"241756499995554558550602367300017643700",
"191338120555964314917981441313617292316",
"147857528157518671552020408598352417501",
"191712768671169977210748902842933264345",
"285821873076905783592971116327398757227",
"206703883280606155502738453870378980881",
"335217870970338360093905925963042168197",
"276006600787294503462210323054236244571",
"86260100061005767582631828819609971143",
"319381704718689333317669133590605303938",
"256282953336782932349783315299183728680",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a",
"target": {
"file": "crypto/cms/cms_dh.c",
"function": "dh_cms_set_shared_info"
},
"id": "CVE-2026-28389-6770b983",
"digest": {
"function_hash": "85580592443376971564746879996092594480",
"length": 1634.0
},
"deprecated": false
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a",
"target": {
"file": "crypto/cms/cms_ec.c",
"function": "ecdh_cms_set_shared_info"
},
"id": "CVE-2026-28389-69d31ac9",
"digest": {
"function_hash": "220212300272990662700643768678357463760",
"length": 1363.0
},
"deprecated": false
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616",
"target": {
"file": "crypto/cms/cms_dh.c",
"function": "dh_cms_set_shared_info"
},
"id": "CVE-2026-28389-6f275edb",
"digest": {
"function_hash": "85580592443376971564746879996092594480",
"length": 1634.0
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a",
"target": {
"file": "crypto/cms/cms_ec.c"
},
"id": "CVE-2026-28389-746edf00",
"digest": {
"line_hashes": [
"339574314018800471946332591302274221091",
"324373727784504944843233301225824637211",
"241756499995554558550602367300017643700",
"12521850379814007373532789688046211438",
"117342360621347706033129047703801997159",
"185292036368172262462097254932521310241",
"94190543996604676849176713917615421954",
"106863008812326076345685972430007566832",
"282378567138276691786629430182438473941",
"255116467245818032153320742923067490257",
"36986505605978595967335407833084821547",
"149880329217016635387887804450489765326",
"89860272611462147307771061494521213681",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616",
"target": {
"file": "crypto/cms/cms_ec.c"
},
"id": "CVE-2026-28389-7569978c",
"digest": {
"line_hashes": [
"339574314018800471946332591302274221091",
"324373727784504944843233301225824637211",
"241756499995554558550602367300017643700",
"12521850379814007373532789688046211438",
"117342360621347706033129047703801997159",
"185292036368172262462097254932521310241",
"94190543996604676849176713917615421954",
"106863008812326076345685972430007566832",
"282378567138276691786629430182438473941",
"255116467245818032153320742923067490257",
"36986505605978595967335407833084821547",
"149880329217016635387887804450489765326",
"89860272611462147307771061494521213681",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686",
"target": {
"file": "crypto/cms/cms_ec.c",
"function": "ecdh_cms_set_shared_info"
},
"id": "CVE-2026-28389-7b09eb19",
"digest": {
"function_hash": "220212300272990662700643768678357463760",
"length": 1363.0
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5",
"target": {
"file": "crypto/cms/cms_ec.c"
},
"id": "CVE-2026-28389-9a894a5a",
"digest": {
"line_hashes": [
"339574314018800471946332591302274221091",
"324373727784504944843233301225824637211",
"241756499995554558550602367300017643700",
"12521850379814007373532789688046211438",
"117342360621347706033129047703801997159",
"185292036368172262462097254932521310241",
"94190543996604676849176713917615421954",
"106863008812326076345685972430007566832",
"282378567138276691786629430182438473941",
"255116467245818032153320742923067490257",
"36986505605978595967335407833084821547",
"149880329217016635387887804450489765326",
"89860272611462147307771061494521213681",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5",
"target": {
"file": "crypto/cms/cms_dh.c"
},
"id": "CVE-2026-28389-a2c81bc9",
"digest": {
"line_hashes": [
"35040822673859645981477916107913023139",
"93565823115982767152496764659501767766",
"241756499995554558550602367300017643700",
"191338120555964314917981441313617292316",
"147857528157518671552020408598352417501",
"191712768671169977210748902842933264345",
"285821873076905783592971116327398757227",
"206703883280606155502738453870378980881",
"335217870970338360093905925963042168197",
"276006600787294503462210323054236244571",
"86260100061005767582631828819609971143",
"319381704718689333317669133590605303938",
"256282953336782932349783315299183728680",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686",
"target": {
"file": "crypto/cms/cms_ec.c"
},
"id": "CVE-2026-28389-a8c14aef",
"digest": {
"line_hashes": [
"339574314018800471946332591302274221091",
"324373727784504944843233301225824637211",
"241756499995554558550602367300017643700",
"12521850379814007373532789688046211438",
"117342360621347706033129047703801997159",
"185292036368172262462097254932521310241",
"94190543996604676849176713917615421954",
"106863008812326076345685972430007566832",
"282378567138276691786629430182438473941",
"255116467245818032153320742923067490257",
"36986505605978595967335407833084821547",
"149880329217016635387887804450489765326",
"89860272611462147307771061494521213681",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616",
"target": {
"file": "crypto/cms/cms_ec.c",
"function": "ecdh_cms_set_shared_info"
},
"id": "CVE-2026-28389-b3d14555",
"digest": {
"function_hash": "220212300272990662700643768678357463760",
"length": 1363.0
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86",
"target": {
"file": "include/openssl/opensslv.h"
},
"id": "CVE-2026-28389-c377fa22",
"digest": {
"line_hashes": [
"28170854778703993674264004058177114599",
"73132526844288570625317440636111911761",
"177405411499435185068645597737938634778",
"224809958623850711330610094965797758930",
"295554444428855106393106961197201359586"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686",
"target": {
"file": "crypto/cms/cms_dh.c",
"function": "dh_cms_set_shared_info"
},
"id": "CVE-2026-28389-c7d767cf",
"digest": {
"function_hash": "85580592443376971564746879996092594480",
"length": 1634.0
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f",
"target": {
"file": "crypto/cms/cms_dh.c"
},
"id": "CVE-2026-28389-dbb50246",
"digest": {
"line_hashes": [
"35040822673859645981477916107913023139",
"93565823115982767152496764659501767766",
"241756499995554558550602367300017643700",
"191338120555964314917981441313617292316",
"147857528157518671552020408598352417501",
"191712768671169977210748902842933264345",
"285821873076905783592971116327398757227",
"206703883280606155502738453870378980881",
"335217870970338360093905925963042168197",
"276006600787294503462210323054236244571",
"86260100061005767582631828819609971143",
"319381704718689333317669133590605303938",
"256282953336782932349783315299183728680",
"10137784562806207999599328005914036118",
"23908226079055335692986235745925339697"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8",
"target": {
"file": "crypto/opensslv.h"
},
"id": "CVE-2026-28389-e051451f",
"digest": {
"line_hashes": [
"251633914150035957322733061977107206211",
"338514574181828579838011565939158652696",
"76638288692106140328510055542557597351",
"142922657400765574308962710386922248045",
"71649992455794854055653842592139575350",
"65527166711110472566013424527579064967",
"253196866009476977787139000804413898733",
"172177136897997206866313011107384691461"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5",
"target": {
"file": "crypto/cms/cms_dh.c",
"function": "dh_cms_set_shared_info"
},
"id": "CVE-2026-28389-e38dd840",
"digest": {
"function_hash": "85580592443376971564746879996092594480",
"length": 1634.0
},
"deprecated": false
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-28389.json"
vanir_signatures_modified
"2026-06-18T10:19:26Z"