You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
cve-2026-28390
About this tag
CVE-2026-28390 is a low-severity denial-of-service vulnerability in OpenSSL's CMS processing. It involves a NULL pointer dereference that can occur when an application handles a crafted CMS EnvelopedData message using KeyTransportRecipientInfo with RSA-OAEP encryption. A maliciously formed message can crash vulnerable software, creating a service availability problem rather than a confidentiality or integrity breach. The flaw affects OpenSSL versions prior to the fix, and the advisory notes that the crash can happen before authentication or cryptographic operations occur. This tag covers discussions and explanations of CVE-2026-28390, its impact, and mitigation steps for Windows and Linux systems using OpenSSL.
## Overview
A new OpenSSL security advisory has drawn attention to CVE-2026-28390, a low-severity denial-of-service flaw in CMS processing that can trigger a NULL pointer dereference when an application handles a crafted CMS EnvelopedData message using KeyTransportRecipientInfo with RSA-OAEP...