CVE-2026-28390

Source
https://cve.org/CVERecord?id=CVE-2026-28390
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-28390.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-28390
Downstream
Related
Published
2026-04-07T22:00:54.172Z
Modified
2026-07-17T21:02:23.178179097Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo
Details

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.

When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.

Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28390.json",
    "cna_assigner": "openssl",
    "cwe_ids": [
        "CWE-476"
    ]
}
References

Affected packages

Git / github.com/openssl/openssl

Affected ranges

Type
GIT
Repo
https://github.com/openssl/openssl
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "1.0.2"
        },
        {
            "fixed": "1.0.2zp"
        },
        {
            "introduced": "1.1.1"
        },
        {
            "fixed": "1.1.1zg"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.20"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.7"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.5"
        },
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.6"
        },
        {
            "introduced": "3.6.0"
        },
        {
            "fixed": "3.6.2"
        }
    ],
    "cpe": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*"
}

Affected versions

3.*
3.0-POST-CLANG-FORMAT-WEBKIT
3.0-PRE-CLANG-FORMAT-WEBKIT
3.3-POST-CLANG-FORMAT-WEBKIT
3.3-PRE-CLANG-FORMAT-WEBKIT
3.4-POST-CLANG-FORMAT-WEBKIT
3.4-PRE-CLANG-FORMAT-WEBKIT
3.5-POST-CLANG-FORMAT-WEBKIT
3.5-PRE-CLANG-FORMAT-WEBKIT
3.6-POST-CLANG-FORMAT-WEBKIT
3.6-PRE-CLANG-FORMAT-WEBKIT
openssl-3.*
openssl-3.0.0
openssl-3.0.1
openssl-3.0.10
openssl-3.0.11
openssl-3.0.12
openssl-3.0.13
openssl-3.0.14
openssl-3.0.15
openssl-3.0.16
openssl-3.0.17
openssl-3.0.18
openssl-3.0.19
openssl-3.0.2
openssl-3.0.3
openssl-3.0.4
openssl-3.0.5
openssl-3.0.6
openssl-3.0.7
openssl-3.0.8
openssl-3.0.9
openssl-3.3.0
openssl-3.3.1
openssl-3.3.2
openssl-3.3.3
openssl-3.3.4
openssl-3.3.5
openssl-3.3.6
openssl-3.4.0
openssl-3.4.1
openssl-3.4.2
openssl-3.4.3
openssl-3.4.4
openssl-3.5.0
openssl-3.5.1
openssl-3.5.2
openssl-3.5.3
openssl-3.5.4
openssl-3.5.5
openssl-3.6.0
openssl-3.6.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-28390.json"
vanir_signatures
[
    {
        "source": "https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788",
        "digest": {
            "length": 1555.0,
            "function_hash": "208167205929557218772622546317945340200"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-53fef48e",
        "target": {
            "function": "rsa_cms_decrypt",
            "file": "crypto/cms/cms_rsa.c"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75",
        "target": {
            "function": "rsa_cms_decrypt",
            "file": "crypto/cms/cms_rsa.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-65f665fd",
        "digest": {
            "length": 1555.0,
            "function_hash": "208167205929557218772622546317945340200"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc",
        "target": {
            "function": "rsa_cms_decrypt",
            "file": "crypto/cms/cms_rsa.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-744e8c4a",
        "digest": {
            "length": 1555.0,
            "function_hash": "208167205929557218772622546317945340200"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6",
        "target": {
            "function": "rsa_cms_decrypt",
            "file": "crypto/cms/cms_rsa.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-77506068",
        "digest": {
            "length": 1555.0,
            "function_hash": "208167205929557218772622546317945340200"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788",
        "target": {
            "file": "crypto/cms/cms_rsa.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-b94c386e",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "296531400987787570607111096466602919993",
                "8699448053770643201643073117579322327",
                "204162525914129437129733224328599613188",
                "231163442730967465297798462714627255269",
                "14759194917919286941299242074483365138",
                "204633183348896921099513793913144881511",
                "110484410639719864012220375237118667373",
                "124205898791976448214313640833716018203",
                "110031214004051748907646648028710224743",
                "65951623945443948675063143644906784420",
                "308607858008102704226472153730621370608",
                "87525137975056214162578338182683216656",
                "313868663886712355293079802602816625191",
                "155478037852184704759370953673958737233",
                "83574583416137661211535805398758736590",
                "167376585927776822298473667503126870368",
                "12460177366329197323478077079339715117",
                "180672678574921682509921211266246669854",
                "265685049395907516432569159225258775752",
                "329876614499104607420309626687025593968",
                "198298782130738740185022004642767354817",
                "302344979768586843068821973603024644129",
                "173382000964038254657544970535321140102",
                "303363889413180603633054667465920136782",
                "148423888963270331707012862730392010133",
                "235259485310637081833748561890439780288",
                "95138829016858277519801191274807322230",
                "233099392835336453971615502904637108359",
                "62762882659509011094429679706400578485"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4",
        "target": {
            "file": "crypto/cms/cms_rsa.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-ba4af5a2",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "296531400987787570607111096466602919993",
                "8699448053770643201643073117579322327",
                "204162525914129437129733224328599613188",
                "231163442730967465297798462714627255269",
                "14759194917919286941299242074483365138",
                "204633183348896921099513793913144881511",
                "110484410639719864012220375237118667373",
                "124205898791976448214313640833716018203",
                "110031214004051748907646648028710224743",
                "65951623945443948675063143644906784420",
                "308607858008102704226472153730621370608",
                "87525137975056214162578338182683216656",
                "313868663886712355293079802602816625191",
                "155478037852184704759370953673958737233",
                "83574583416137661211535805398758736590",
                "167376585927776822298473667503126870368",
                "12460177366329197323478077079339715117",
                "180672678574921682509921211266246669854",
                "265685049395907516432569159225258775752",
                "329876614499104607420309626687025593968",
                "198298782130738740185022004642767354817",
                "302344979768586843068821973603024644129",
                "173382000964038254657544970535321140102",
                "303363889413180603633054667465920136782",
                "148423888963270331707012862730392010133",
                "235259485310637081833748561890439780288",
                "95138829016858277519801191274807322230",
                "233099392835336453971615502904637108359",
                "62762882659509011094429679706400578485"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6",
        "target": {
            "file": "crypto/cms/cms_rsa.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-bdb2e4f5",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "296531400987787570607111096466602919993",
                "8699448053770643201643073117579322327",
                "204162525914129437129733224328599613188",
                "231163442730967465297798462714627255269",
                "14759194917919286941299242074483365138",
                "204633183348896921099513793913144881511",
                "110484410639719864012220375237118667373",
                "124205898791976448214313640833716018203",
                "110031214004051748907646648028710224743",
                "65951623945443948675063143644906784420",
                "308607858008102704226472153730621370608",
                "87525137975056214162578338182683216656",
                "313868663886712355293079802602816625191",
                "155478037852184704759370953673958737233",
                "83574583416137661211535805398758736590",
                "167376585927776822298473667503126870368",
                "12460177366329197323478077079339715117",
                "180672678574921682509921211266246669854",
                "265685049395907516432569159225258775752",
                "329876614499104607420309626687025593968",
                "198298782130738740185022004642767354817",
                "302344979768586843068821973603024644129",
                "173382000964038254657544970535321140102",
                "303363889413180603633054667465920136782",
                "148423888963270331707012862730392010133",
                "235259485310637081833748561890439780288",
                "95138829016858277519801191274807322230",
                "233099392835336453971615502904637108359",
                "62762882659509011094429679706400578485"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "28170854778703993674264004058177114599",
                "73132526844288570625317440636111911761",
                "177405411499435185068645597737938634778",
                "224809958623850711330610094965797758930",
                "295554444428855106393106961197201359586"
            ]
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-c377fa22",
        "target": {
            "file": "include/openssl/opensslv.h"
        },
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc",
        "target": {
            "file": "crypto/cms/cms_rsa.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-cbb8cda0",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "296531400987787570607111096466602919993",
                "8699448053770643201643073117579322327",
                "204162525914129437129733224328599613188",
                "231163442730967465297798462714627255269",
                "14759194917919286941299242074483365138",
                "204633183348896921099513793913144881511",
                "110484410639719864012220375237118667373",
                "124205898791976448214313640833716018203",
                "110031214004051748907646648028710224743",
                "65951623945443948675063143644906784420",
                "308607858008102704226472153730621370608",
                "87525137975056214162578338182683216656",
                "313868663886712355293079802602816625191",
                "155478037852184704759370953673958737233",
                "83574583416137661211535805398758736590",
                "167376585927776822298473667503126870368",
                "12460177366329197323478077079339715117",
                "180672678574921682509921211266246669854",
                "265685049395907516432569159225258775752",
                "329876614499104607420309626687025593968",
                "198298782130738740185022004642767354817",
                "302344979768586843068821973603024644129",
                "173382000964038254657544970535321140102",
                "303363889413180603633054667465920136782",
                "148423888963270331707012862730392010133",
                "235259485310637081833748561890439780288",
                "95138829016858277519801191274807322230",
                "233099392835336453971615502904637108359",
                "62762882659509011094429679706400578485"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75",
        "target": {
            "file": "crypto/cms/cms_rsa.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-d38698ac",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "296531400987787570607111096466602919993",
                "8699448053770643201643073117579322327",
                "204162525914129437129733224328599613188",
                "231163442730967465297798462714627255269",
                "14759194917919286941299242074483365138",
                "204633183348896921099513793913144881511",
                "110484410639719864012220375237118667373",
                "124205898791976448214313640833716018203",
                "110031214004051748907646648028710224743",
                "65951623945443948675063143644906784420",
                "308607858008102704226472153730621370608",
                "87525137975056214162578338182683216656",
                "313868663886712355293079802602816625191",
                "155478037852184704759370953673958737233",
                "83574583416137661211535805398758736590",
                "167376585927776822298473667503126870368",
                "12460177366329197323478077079339715117",
                "180672678574921682509921211266246669854",
                "265685049395907516432569159225258775752",
                "329876614499104607420309626687025593968",
                "198298782130738740185022004642767354817",
                "302344979768586843068821973603024644129",
                "173382000964038254657544970535321140102",
                "303363889413180603633054667465920136782",
                "148423888963270331707012862730392010133",
                "235259485310637081833748561890439780288",
                "95138829016858277519801191274807322230",
                "233099392835336453971615502904637108359",
                "62762882659509011094429679706400578485"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8",
        "target": {
            "file": "crypto/opensslv.h"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-e051451f",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "251633914150035957322733061977107206211",
                "338514574181828579838011565939158652696",
                "76638288692106140328510055542557597351",
                "142922657400765574308962710386922248045",
                "71649992455794854055653842592139575350",
                "65527166711110472566013424527579064967",
                "253196866009476977787139000804413898733",
                "172177136897997206866313011107384691461"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4",
        "target": {
            "function": "rsa_cms_decrypt",
            "file": "crypto/cms/cms_rsa.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-28390-f5bac5ce",
        "digest": {
            "length": 1555.0,
            "function_hash": "208167205929557218772622546317945340200"
        },
        "signature_type": "Function"
    }
]
vanir_signatures_modified
"2026-07-11T13:14:00Z"