Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2026-28390

NULL Pointer Dereference

Published: Apr 07, 2026 | Modified: May 12, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
LOW
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-28390
CWEhttps://cwe.mitre.org/data/definitions/476.html

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.

When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.

Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Weakness

The product dereferences a pointer that it expects to be valid but is NULL.

Affected Software

NameVendorStart VersionEnd Version
OpensslOpenssl1.0.2 (including)1.0.2zp (excluding)
OpensslOpenssl1.1.1 (including)1.1.1zg (excluding)
OpensslOpenssl3.0.0 (including)3.0.20 (excluding)
OpensslOpenssl3.3.0 (including)3.3.7 (excluding)
OpensslOpenssl3.4.0 (including)3.4.5 (excluding)
OpensslOpenssl3.5.0 (including)3.5.6 (excluding)
OpensslOpenssl3.6.0 (including)3.6.2 (excluding)
Red Hat Enterprise Linux 10RedHatopenssl-1:3.5.5-3.el10_2*
Red Hat Enterprise Linux 8RedHatcompat-openssl10-1:1.0.2o-4.el8_10.2*
Red Hat Enterprise Linux 9RedHatopenssl-1:3.5.5-3.el9_8*
Red Hat Enterprise Linux 9RedHatcompat-openssl11-1:1.1.1k-5.el9_8.3*
Red Hat Enterprise Linux 9RedHatopenssl-1:3.5.5-3.el9_8*
Red Hat Ansible Automation Platform 2.6RedHatansible-automation-platform-26/lightspeed-chatbot-rhel9:1780102732*
Red Hat Discovery 2RedHatdiscovery/discovery-server-rhel9:1778101579*
Red Hat Hardened ImagesRedHatopenssl-main-3.5.6-0.3.hum1*
Red Hat Hardened ImagesRedHatopenssl-main-3.5.6-0.1.hum1*
Red Hat Insights proxy 1.5RedHatinsights-proxy/insights-proxy-container-rhel9:1780420428*
Red Hat Update Infrastructure 5RedHatrhui5/cds-rhel9:1781525684*
Red Hat Update Infrastructure 5RedHatrhui5/haproxy-rhel9:1781525671*
Red Hat Update Infrastructure 5RedHatrhui5/installer-rhel9:1781525693*
Red Hat Update Infrastructure 5RedHatrhui5/rhua-rhel9:1781525739*
Edk2Ubuntuesm-apps/xenial*
NodejsUbuntuesm-apps/jammy*
NodejsUbuntuesm-apps/xenial*
NodejsUbuntujammy*
OpensslUbuntudevel*
OpensslUbuntuesm-infra-legacy/xenial*
OpensslUbuntuesm-infra/bionic*
OpensslUbuntuesm-infra/focal*
OpensslUbuntuesm-infra/xenial*
OpensslUbuntufips-preview/jammy*
OpensslUbuntufips-updates/bionic*
OpensslUbuntufips-updates/focal*
OpensslUbuntufips-updates/jammy*
OpensslUbuntufips-updates/xenial*
OpensslUbuntufips/bionic*
OpensslUbuntufips/focal*
OpensslUbuntufips/xenial*
OpensslUbuntujammy*
OpensslUbuntunoble*
OpensslUbuntuquesting*
OpensslUbunturesolute*
OpensslUbuntuupstream*
Openssl1.0Ubuntuesm-infra/bionic*
Openssl1.0Ubuntuupstream*

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use