CVE-2026-28388: Null Dereference in Delta CRL Processing and Trust Impact

CVE-2026-28388 is a reminder that not every security flaw needs remote code execution to matter. Even a NULL pointer dereference can become operationally significant when it sits inside a trust-heavy component such as certificate validation, especially if the affected path is tied to revocation processing. In Microsoft’s case, the issue is described as occurring when processing a delta CRL, which places it squarely in the plumbing that enterprises rely on to decide whether certificates should still be trusted. The fact pattern suggests a vulnerability that is less about flashy exploitation and more about the reliability, resilience, and defensive integrity of identity systems.

Overview​

Certificate revocation remains one of the most consequential but least appreciated layers of enterprise security. A Certificate Revocation List tells validating systems which certificates should no longer be accepted, and delta CRLs exist to make that process more efficient by carrying only the changes since the last base list. Microsoft’s own documentation explains that base CRLs carry the full revoked set, while delta CRLs carry only the newly revoked certificates, which is why organizations use them to reduce bandwidth and improve freshness.
That design, however, also creates a larger attack surface than many administrators realize. Anything that parses external revocation data must be able to survive malformed, truncated, or otherwise unexpected inputs, because failures in that layer can affect authentication, trust decisions, or service availability. Microsoft Learn notes that Microsoft Entra ID fetches CRLs from uploaded URLs, caches them, and uses delta CRLs so revocation can take effect as soon as the newer list is loaded.
The phrase NULL pointer dereference usually sounds like a crash bug, and sometimes that is all it is. But in security advisories, crash bugs can still matter because they can be triggered predictably, used for denial of service, or reveal weakness in input validation paths that are security-critical. Microsoft has long documented that pointer dereference issues and null-pointer failures can range from denial-of-service conditions to, in some circumstances, more serious privilege or code execution outcomes depending on context and memory handling.
For enterprises, the practical question is not whether this specific issue is glamorous. It is whether certificate validation infrastructure can be destabilized by a malformed delta CRL, especially in environments that depend on high-volume certificate-based authentication. That matters because revocation is part of the trust perimeter; if the path that enforces trust becomes unreliable, the confidence of downstream systems erodes even when the underlying cryptography remains sound.

Background​

Delta CRLs exist for a simple operational reason: revocation data changes frequently, and distributing a complete revocation list every time can be inefficient. Microsoft’s official glossary describes base CRLs as complete lists and delta CRLs as the incremental updates since the base publication. The same documentation set explains that Microsoft Entra ID can use both, and that revocation is not immediate if the cache has not refreshed; the delta list is what shortens that window.
That efficiency is also why revocation infrastructure is often overlooked. Administrators tend to focus on issuance, renewal, and expiration, while CRL distribution points quietly do their work in the background. But if a product mishandles a delta CRL, the bug appears in a place that is operationally central and often externally reachable, which is precisely the kind of component that security teams want to keep boring and deterministic.
Microsoft’s guidance for certificate-based authentication makes the stakes clear. When you configure a certificate authority in Entra, you supply both a base CRL URL and, optionally, a delta CRL URL, and the service uses those URLs to decide whether a certificate is revoked. The documentation also notes that if the base CRL URL is not set, attempts to authenticate with a revoked certificate do not fail, which underscores how much policy depends on correct CRL handling.
In that context, a vulnerability in delta CRL processing is not just a parser bug; it is a trust-chain bug. Even if exploitation does not lead to code execution, a crash in the wrong place can disrupt authentication, delay revocation, or force emergency operational workarounds. That is why a seemingly modest defect can carry real enterprise consequences.

---

What the Vulnerability Suggests​

At a technical level, a null pointer dereference means code attempted to use a pointer that had not been initialized, had been cleared, or otherwise evaluated to null. In mature codebases, that often points to an error-handling path that did not anticipate a specific edge case. In security-sensitive parsers, edge cases are exactly where attackers and stress conditions tend to collide.
The wording “when processing a delta CRL” narrows the issue to a highly specific input type. That suggests the vulnerable code path is not the entire revocation stack, but a branch handling the incremental CRL format, likely during parse, merge, or validation logic. Because delta CRLs are meant to supplement base CRLs, a failure in that branch could affect freshness checking or cause the client or service to fall over while attempting to apply revocation updates.

Why delta CRLs are a delicate input​

Delta CRLs are compact by design, which makes them efficient but also dependent on the integrity of metadata and sequencing. If a parser expects a base CRL relationship, specific extensions, or a valid chain of state transitions and those assumptions are violated, internal objects may end up unset or inconsistent. In security engineering terms, this is the classic danger of trusting the shape of the data too early.
A crash in this area is especially sensitive because certificate validation often happens on critical pathways such as sign-in, VPN access, device enrollment, and application trust decisions. If a malformed delta CRL can interrupt the revocation check, the practical result may be failed logons, delayed trust decisions, or outage-like behavior that impacts many users at once. That makes the issue more important than a narrow component bug would otherwise appear.

Security Impact and Likely Severity​

Microsoft has not always publicly exposed every advisory detail in advance, so the exact severity and exploitability of CVE-2026-28388 should be judged cautiously until the official entry is fully visible in your environment. Still, the phrasing strongly implies a stability failure in a parser, and parser failures in security infrastructure are often rated at least as denial-of-service risks. In a trust service, even a denial-of-service bug can be operationally important. Availability is a security property too.
In the worst case, if the vulnerable path is reachable by untrusted network input or by a remote CRL distribution point, an attacker could potentially trigger repeated crashes or disruption whenever the CRL refresh path runs. That would be particularly troublesome in environments that lean heavily on certificate-based authentication, because cached CRLs only buy so much resilience before refresh becomes necessary. Microsoft notes that CRLs are cached and refreshed when expired, so the impact window depends on cache behavior and revocation cadence.

How this compares with older pointer bugs​

Microsoft’s historical security guidance shows that pointer dereference bugs are not one-size-fits-all. Some are simple crashes, some are denial-of-service conditions, and some become much more serious based on context, such as whether the pointer is dereferenced in kernel mode or after user-controlled memory manipulation. The lesson is that the vulnerability class alone does not determine impact; the surrounding logic does.
That distinction matters here because CRL processing is policy logic, not a consumer app feature. A parser crash in a certificate revocation path is less about a single bad request and more about undermining the service behavior that decides whether a certificate should be trusted. Even if exploitation ends at denial of service, that still creates a meaningful security incident if it blocks authentication at scale.

Enterprise Exposure​

Enterprises that use certificate-based authentication are the most directly exposed audience. Microsoft’s own setup guidance makes clear that organizations can upload CA certificates, CRL URLs, and delta CRL URLs so Entra ID can validate revoked certificates. If the delta CRL processing path is vulnerable, then the systems responsible for enforcing revocation policy may be affected right where they are supposed to provide assurance.
That exposure is amplified in environments with distributed identity dependencies. VPN gateways, remote access services, MDM enrollment, internal portals, and privileged admin workflows often rely on certificate validation under the hood. A crash in revocation handling can therefore have a ripple effect that looks like an authentication outage even if the root cause is a parser defect in a revocation component.

Enterprise operators should think in layers​

The first layer is whether the service directly consumes uploaded CRL URLs or whether the vulnerable code sits on endpoints validating local certificate stores. The second layer is whether delta CRLs are actually enabled in the environment, because Microsoft notes that delta lists are optional but recommended. The third layer is whether the organization can tolerate temporary revocation-check failures without blocking users.
A mature response plan should also distinguish between revocation freshness and service availability. Delta CRLs are meant to reduce the revocation window, but if they can also trigger crashes, administrators may face a difficult tradeoff between stronger revocation responsiveness and added operational fragility. That is the kind of tradeoff security teams hate because it turns a defensive feature into a reliability question.

Consumer and Small-Business Impact​

For consumers, this type of issue is usually less visible unless the affected software is embedded in a product they actively use for login or device trust. Most home users do not manually manage CRLs, but they can still be affected indirectly if a service they depend on uses certificate-based authentication or if a software update touches the same revocation stack. That means the user-facing symptom may be a failed sign-in, an app that refuses to trust a certificate, or a transient service interruption.
Small businesses are a different story. They often adopt managed identity services and certificate-based access without the deep PKI staffing of a large enterprise, which can make them more vulnerable to cascading outages when a backend trust component misbehaves. In small environments, a bug like this can be felt more acutely because there is less redundancy and fewer fallback mechanisms.

Why the symptom may not point to the cause​

One of the hardest parts of CRL-related issues is attribution. Users rarely see “delta CRL parser failure”; they see an authentication error, a failed certificate check, or a service that simply times out. That makes the bug easy to misdiagnose as connectivity trouble, PKI misconfiguration, or an expired certificate, especially if the revocation path is only touched intermittently.
This is why the operational response should emphasize observability. If the organization can correlate certificate-validation failures with CRL refresh events, it becomes much easier to tell whether a malformed or problematic delta CRL is the trigger. In practice, that can save hours of blind troubleshooting during an incident. Clarity beats speculation.

Microsoft’s Broader CRL Model​

Microsoft’s documentation around Entra certificate-based authentication reveals a deliberate design choice: cache revocation data to improve performance, then refresh it as needed. That model reduces the cost of validating every connection against live network resources, and it improves reliability compared with a design that must contact a revocation responder on every request. But it also means the parser handling cached and refreshed CRLs must be exceptionally robust.
The documentation also notes that CRL size limits exist and that Microsoft Entra ID attempts to download a CRL subject to service-side thresholds. That is an important clue, because any system enforcing size, format, and refresh semantics already sits on a complex input-validation boundary. Bugs at that boundary are common because there are many ways for “valid enough” data to become problematic when handled at scale.

The operational balancing act​

On one side of the balance sheet is security freshness: you want revoked certificates to stop working as quickly as possible. On the other is service stability: you do not want a malformed revocation payload to bring down authentication or trigger repeated faults. Delta CRLs are meant to improve the first goal, but CVE-2026-28388 suggests the implementation must also be hardened for the second.
That balance is not unique to Microsoft, of course. Any vendor that parses security metadata must defend against malformed input and must do so without making the validation system brittle. But because Microsoft’s certificate stack sits at the center of so many Windows and Entra workflows, even a narrow parser bug can resonate much more broadly than the code path itself would suggest.

Strengths and Opportunities​

There is a useful positive side to this disclosure: it shines a light on an often ignored layer of enterprise trust infrastructure. By forcing administrators to think about delta CRLs, cache refreshes, and parser resilience, the issue may lead to better hardening across the whole certificate-validation chain. It also offers an opportunity to revisit whether revocation architecture is instrumented well enough to spot fragile behavior before customers feel it.

• Microsoft’s CRL architecture already distinguishes between base and delta revocation data, which makes targeted remediation possible.
• Entra documentation clearly describes how revocation URLs are configured, which helps defenders audit exposure.
• Cached CRL behavior gives organizations a buffer window for troubleshooting and staged rollback.
• Delta CRLs can still deliver fresher revocation semantics when implemented safely.
• The vulnerability may prompt better input-validation testing around security metadata parsers.
• Security teams can use the event to improve observability around certificate refresh events.
• Organizations with mature PKI operations can treat this as a chance to review revocation continuity plans.

Risks and Concerns​

The main concern is not only whether this can crash a component, but whether the crash is reachable in a way that affects large populations of users. If delta CRL processing is part of a widely used validation path, the blast radius could extend beyond a single device or app and into authentication services or enterprise access workflows. That makes even a “mere” null dereference more consequential than it sounds at first glance.

• A malformed delta CRL could trigger repeated failures during revocation refresh.
• Authentication services may misreport the problem as a generic trust error.
• Revocation caching can delay symptom appearance, complicating incident response.
• Small businesses may lack redundancy if the trust path becomes unavailable.
• Administrators could be tempted to weaken revocation checks temporarily, creating security debt.
• Parser bugs in security infrastructure can sometimes reveal deeper validation weaknesses.
• Even if remote exploitation is unlikely, availability failures can still become high-impact incidents.

Practical Response Strategy​

The first step is inventory. Administrators should confirm where delta CRLs are used, which CA objects publish them, and whether those paths feed services that can affect sign-in or device trust. Microsoft’s guidance makes those dependencies explicit enough that a disciplined audit should be straightforward, even if the actual remediation depends on product-specific updates.
The second step is validation. Teams should test whether the affected environments continue to function when CRLs refresh, expire, or are replaced, and they should verify whether any hidden assumptions exist around CRL size or structure. Because CRLs are cached, testing must include not just immediate behavior but also refresh behavior over time.

A simple operational checklist​

• Identify every CA and service that uses a delta CRL.
• Confirm whether the base CRL and delta CRL URLs are publicly reachable and valid.
• Test certificate validation during CRL refresh windows.
• Monitor for authentication failures that coincide with revocation updates.
• Apply Microsoft security updates as soon as they are available for the affected component.

The third step is governance. Security and identity teams should decide in advance how to respond if a revocation-related parser bug creates instability, because improvising under pressure usually leads to disabling the wrong control. A pre-approved rollback plan is worth far more than a last-minute debate about whether revocation should stay on or be relaxed.

Looking Ahead​

What matters next is how Microsoft positions the fix and whether the issue is confined to a narrow component or signals a broader hardening effort in its certificate-validation stack. If the patch lands cleanly, most organizations will treat the event as a standard security update. If not, administrators may need to inspect CRL publication design, cache timing, and service dependencies more carefully than they have in the past.
There is also a wider industry lesson here. As more identity systems depend on certificate-based trust, the invisible machinery behind revocation becomes part of the attack surface, not just the reliability surface. That means parser robustness, telemetry, and fail-safe behavior are no longer niche concerns for PKI specialists; they are mainstream requirements for any organization that expects certificates to remain trustworthy at scale.

• Watch for Microsoft’s final classification and whether the advisory frames the issue as availability only or something more nuanced.
• Review whether delta CRLs are essential in your environment or merely convenient.
• Confirm that revocation monitoring alerts on refresh failures, not just expired certificates.
• Ensure operational teams know how to distinguish CRL cache issues from broader authentication outages.
• Keep remediation plans aligned with the vendor’s update guidance rather than ad hoc workarounds.

The broader truth is that certificate infrastructure only feels invisible when it is healthy. CVE-2026-28388 is a reminder that the systems we rely on to say “yes” or “no” to trust decisions must themselves be ruthlessly resilient, because when they fail, they do not merely crash a service — they shake confidence in the trust model underneath the service.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center