Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.
Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.
When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.
Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
{
"cna_assigner": "openssl",
"cwe_ids": [
"CWE-476"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28390.json"
}{
"cpe": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "1.0.2"
},
{
"fixed": "1.0.2zp"
},
{
"introduced": "1.1.1"
},
{
"fixed": "1.1.1zg"
},
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.20"
},
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.7"
},
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.5"
},
{
"introduced": "3.5.0"
},
{
"fixed": "3.5.6"
},
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.2"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-28390.json"
[
{
"digest": {
"length": 1555.0,
"function_hash": "208167205929557218772622546317945340200"
},
"signature_type": "Function",
"source": "https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788",
"signature_version": "v1",
"id": "CVE-2026-28390-53fef48e",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c",
"function": "rsa_cms_decrypt"
}
},
{
"digest": {
"length": 1555.0,
"function_hash": "208167205929557218772622546317945340200"
},
"id": "CVE-2026-28390-65f665fd",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c",
"function": "rsa_cms_decrypt"
}
},
{
"signature_type": "Function",
"digest": {
"length": 1555.0,
"function_hash": "208167205929557218772622546317945340200"
},
"id": "CVE-2026-28390-744e8c4a",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c",
"function": "rsa_cms_decrypt"
}
},
{
"signature_type": "Function",
"source": "https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6",
"digest": {
"length": 1555.0,
"function_hash": "208167205929557218772622546317945340200"
},
"signature_version": "v1",
"id": "CVE-2026-28390-77506068",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c",
"function": "rsa_cms_decrypt"
}
},
{
"digest": {
"line_hashes": [
"296531400987787570607111096466602919993",
"8699448053770643201643073117579322327",
"204162525914129437129733224328599613188",
"231163442730967465297798462714627255269",
"14759194917919286941299242074483365138",
"204633183348896921099513793913144881511",
"110484410639719864012220375237118667373",
"124205898791976448214313640833716018203",
"110031214004051748907646648028710224743",
"65951623945443948675063143644906784420",
"308607858008102704226472153730621370608",
"87525137975056214162578338182683216656",
"313868663886712355293079802602816625191",
"155478037852184704759370953673958737233",
"83574583416137661211535805398758736590",
"167376585927776822298473667503126870368",
"12460177366329197323478077079339715117",
"180672678574921682509921211266246669854",
"265685049395907516432569159225258775752",
"329876614499104607420309626687025593968",
"198298782130738740185022004642767354817",
"302344979768586843068821973603024644129",
"173382000964038254657544970535321140102",
"303363889413180603633054667465920136782",
"148423888963270331707012862730392010133",
"235259485310637081833748561890439780288",
"95138829016858277519801191274807322230",
"233099392835336453971615502904637108359",
"62762882659509011094429679706400578485"
],
"threshold": 0.9
},
"id": "CVE-2026-28390-b94c386e",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c"
}
},
{
"signature_type": "Line",
"digest": {
"line_hashes": [
"296531400987787570607111096466602919993",
"8699448053770643201643073117579322327",
"204162525914129437129733224328599613188",
"231163442730967465297798462714627255269",
"14759194917919286941299242074483365138",
"204633183348896921099513793913144881511",
"110484410639719864012220375237118667373",
"124205898791976448214313640833716018203",
"110031214004051748907646648028710224743",
"65951623945443948675063143644906784420",
"308607858008102704226472153730621370608",
"87525137975056214162578338182683216656",
"313868663886712355293079802602816625191",
"155478037852184704759370953673958737233",
"83574583416137661211535805398758736590",
"167376585927776822298473667503126870368",
"12460177366329197323478077079339715117",
"180672678574921682509921211266246669854",
"265685049395907516432569159225258775752",
"329876614499104607420309626687025593968",
"198298782130738740185022004642767354817",
"302344979768586843068821973603024644129",
"173382000964038254657544970535321140102",
"303363889413180603633054667465920136782",
"148423888963270331707012862730392010133",
"235259485310637081833748561890439780288",
"95138829016858277519801191274807322230",
"233099392835336453971615502904637108359",
"62762882659509011094429679706400578485"
],
"threshold": 0.9
},
"id": "CVE-2026-28390-ba4af5a2",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c"
}
},
{
"signature_type": "Line",
"source": "https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6",
"digest": {
"line_hashes": [
"296531400987787570607111096466602919993",
"8699448053770643201643073117579322327",
"204162525914129437129733224328599613188",
"231163442730967465297798462714627255269",
"14759194917919286941299242074483365138",
"204633183348896921099513793913144881511",
"110484410639719864012220375237118667373",
"124205898791976448214313640833716018203",
"110031214004051748907646648028710224743",
"65951623945443948675063143644906784420",
"308607858008102704226472153730621370608",
"87525137975056214162578338182683216656",
"313868663886712355293079802602816625191",
"155478037852184704759370953673958737233",
"83574583416137661211535805398758736590",
"167376585927776822298473667503126870368",
"12460177366329197323478077079339715117",
"180672678574921682509921211266246669854",
"265685049395907516432569159225258775752",
"329876614499104607420309626687025593968",
"198298782130738740185022004642767354817",
"302344979768586843068821973603024644129",
"173382000964038254657544970535321140102",
"303363889413180603633054667465920136782",
"148423888963270331707012862730392010133",
"235259485310637081833748561890439780288",
"95138829016858277519801191274807322230",
"233099392835336453971615502904637108359",
"62762882659509011094429679706400578485"
],
"threshold": 0.9
},
"signature_version": "v1",
"id": "CVE-2026-28390-bdb2e4f5",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c"
}
},
{
"digest": {
"line_hashes": [
"28170854778703993674264004058177114599",
"73132526844288570625317440636111911761",
"177405411499435185068645597737938634778",
"224809958623850711330610094965797758930",
"295554444428855106393106961197201359586"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "include/openssl/opensslv.h"
},
"signature_version": "v1",
"id": "CVE-2026-28390-c377fa22",
"deprecated": false,
"source": "https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86"
},
{
"digest": {
"line_hashes": [
"296531400987787570607111096466602919993",
"8699448053770643201643073117579322327",
"204162525914129437129733224328599613188",
"231163442730967465297798462714627255269",
"14759194917919286941299242074483365138",
"204633183348896921099513793913144881511",
"110484410639719864012220375237118667373",
"124205898791976448214313640833716018203",
"110031214004051748907646648028710224743",
"65951623945443948675063143644906784420",
"308607858008102704226472153730621370608",
"87525137975056214162578338182683216656",
"313868663886712355293079802602816625191",
"155478037852184704759370953673958737233",
"83574583416137661211535805398758736590",
"167376585927776822298473667503126870368",
"12460177366329197323478077079339715117",
"180672678574921682509921211266246669854",
"265685049395907516432569159225258775752",
"329876614499104607420309626687025593968",
"198298782130738740185022004642767354817",
"302344979768586843068821973603024644129",
"173382000964038254657544970535321140102",
"303363889413180603633054667465920136782",
"148423888963270331707012862730392010133",
"235259485310637081833748561890439780288",
"95138829016858277519801191274807322230",
"233099392835336453971615502904637108359",
"62762882659509011094429679706400578485"
],
"threshold": 0.9
},
"id": "CVE-2026-28390-cbb8cda0",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c"
}
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"296531400987787570607111096466602919993",
"8699448053770643201643073117579322327",
"204162525914129437129733224328599613188",
"231163442730967465297798462714627255269",
"14759194917919286941299242074483365138",
"204633183348896921099513793913144881511",
"110484410639719864012220375237118667373",
"124205898791976448214313640833716018203",
"110031214004051748907646648028710224743",
"65951623945443948675063143644906784420",
"308607858008102704226472153730621370608",
"87525137975056214162578338182683216656",
"313868663886712355293079802602816625191",
"155478037852184704759370953673958737233",
"83574583416137661211535805398758736590",
"167376585927776822298473667503126870368",
"12460177366329197323478077079339715117",
"180672678574921682509921211266246669854",
"265685049395907516432569159225258775752",
"329876614499104607420309626687025593968",
"198298782130738740185022004642767354817",
"302344979768586843068821973603024644129",
"173382000964038254657544970535321140102",
"303363889413180603633054667465920136782",
"148423888963270331707012862730392010133",
"235259485310637081833748561890439780288",
"95138829016858277519801191274807322230",
"233099392835336453971615502904637108359",
"62762882659509011094429679706400578485"
]
},
"id": "CVE-2026-28390-d38698ac",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c"
}
},
{
"signature_type": "Line",
"source": "https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8",
"digest": {
"threshold": 0.9,
"line_hashes": [
"251633914150035957322733061977107206211",
"338514574181828579838011565939158652696",
"76638288692106140328510055542557597351",
"142922657400765574308962710386922248045",
"71649992455794854055653842592139575350",
"65527166711110472566013424527579064967",
"253196866009476977787139000804413898733",
"172177136897997206866313011107384691461"
]
},
"signature_version": "v1",
"id": "CVE-2026-28390-e051451f",
"deprecated": false,
"target": {
"file": "crypto/opensslv.h"
}
},
{
"digest": {
"length": 1555.0,
"function_hash": "208167205929557218772622546317945340200"
},
"id": "CVE-2026-28390-f5bac5ce",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4",
"deprecated": false,
"target": {
"file": "crypto/cms/cms_rsa.c",
"function": "rsa_cms_decrypt"
}
}
]
"2026-07-11T13:14:00Z"