CVE-2026-28390 OpenSSL CMS NULL Dereference: Low-Severity DoS Explained

  • Thread Author
## Overview
A new OpenSSL security advisory has drawn attention to CVE-2026-28390, a low-severity denial-of-service flaw in CMS processing that can trigger a NULL pointer dereference when an application handles a crafted CMS EnvelopedData message using KeyTransportRecipientInfo with RSA-OAEP encryption. In practical terms, that means a maliciously formed message can crash vulnerable software instead of being safely rejected, creating a service availability problem rather than a confidentiality or integrity breach. OpenSSL’s own advisory says the affected code can crash before authentication or cryptographic operations occur, which is exactly why availability-focused bugs in parsing code still matter even when they are not classified as high severity. (openssl-library.org)
The issue lands in a cluster of related CMS parsing bugs disclosed on the same day, which suggests the vulnerable area was under active review and hardening. The advisory lists several versions as affected: 3.6.0 before 3.6.2, 3.5.0 before 3.5.6, 3.4.0 before 3.4.5, 3.3.0 before 3.3.7, 3.0.0 before 3.0.20, 1.1.1 before 1.1.1zg, and 1.0.2 before 1.0.2zp. It also states that the FIPS modules are not affected, because the vulnerable code sits outside the FIPS boundary. (openssl-library.org)
Although the user’s prompt quotes Microsoft’s availability language from an MSRC vulnerability page, the technical substance here aligns with the OpenSSL advisory rather than a Microsoft product issue. Microsoft’s Security Update Guide page for CVE-2026-28390 is reachable, but the public HTML currently renders only a JavaScript shell, so the visible technical details are not exposed in the page source I could inspect directly. The most reliable public description available in this moment is the OpenSSL advisory itself, which describes the bug, the affected releases, and the crash-oriented impact. (msrc.microsoft.com)
## Background
Cryptographic Message Syntax, or CMS, is one of those standards that most end users never notice but many enterprise systems quietly depend on. It appears in secure email, message packaging, certificate workflows, and other protocols that need a structured way to encrypt and wrap data. That makes CMS code deep infrastructure: if it breaks, the failure often surfaces as a crash or a hard-to-diagnose processing error far from the original message source. (openssl-library.org)
The specific structure at issue, KeyTransportRecipientInfo, is part of the CMS EnvelopedData model used to transport content-encryption keys to recipients. In this case, the problematic path involves RSA-OAEP encryption and an optional parameters field that the code examined without first verifying that the field was actually present. That is a classic parser hardening mistake: the logic assumes a value exists, but the specification allows it to be omitted. (openssl-library.org)
The advisory’s wording is important because it frames the bug as a crash condition rather than a memory corruption primitive. OpenSSL says an attacker who can supply crafted CMS data may force an application to crash before authentication or cryptographic operations occur, resulting in denial of service. That means the issue is serious for uptime and resilience, but it does not, based on the advisory, indicate direct remote code execution or data theft. (openssl-library.org)
This is also part of a broader pattern in security advisories: many of the bugs that look “small” in code review become large in deployment when they sit inside protocols that process attacker-controlled input. OpenSSL’s own public history shows that the project repeatedly classifies NULL dereferences as availability issues when the exploitation path is a malformed network or file object. That makes sense because availability failures can still be operationally costly, especially in mail gateways, signing services, PKI middleware, and other components where crashes can ripple across a fleet. (openssl-library.org)
### Why CMS bugs matter
CMS processing is often used in places where organizations assume the input is “trusted enough” because it came from a partner, a mailbox, or an internal signing workflow. That assumption is dangerous because attackers love trust boundaries that look boring. A malicious sender, compromised mailbox, or attacker-in-the-middle on a poorly designed workflow can still deliver malformed objects to a parser that was never written to fail gracefully. (openssl-library.org)
When these bugs land in libraries like OpenSSL, the blast radius depends less on the code path itself and more on where the library is used. A crash in a desktop email client is annoying; a crash in a central mail relay, gateway appliance, or automated document-signing service can become a production incident. That is why even “Low” severity parser bugs are still tracked and patched promptly by downstream vendors. (openssl-library.org)
## Technical Anatomy of the Bug
The advisory describes a fairly narrow but classic failure mode: during processing of a crafted CMS EnvelopedData message, the code follows the KeyTransportRecipientInfo branch and then inspects the optional RSA-OAEP parameters field without checking whether that field exists. If the field is missing, the code dereferences a NULL pointer and the process crashes. That is a textbook CWE-476-style issue, even if the public advisory does not emphasize the CWE label. (openssl-library.org)
The root cause matters because the vulnerability is not in the cryptography itself but in the metadata handling around it. Cryptographic code often gets treated as mathematically hard but operationally safe; in reality, much of the risk lives in the glue code that walks ASN.1 structures, interprets optional fields, and maps them into internal objects. The bug here is in exactly that glue layer. (openssl-library.org)

Parsing optional fields safely​

Optional fields are dangerous because they create a two-state problem: the parser must handle both “present” and “absent” without assuming either one. If a code path reaches for the field before checking for null, the bug is already latent; the crafted input merely reveals it. That is why robust parsers usually validate the full structure first and only then hand off to the business logic. (openssl-library.org)
A subtle but important point is that the crash can occur before any meaningful cryptographic validation completes. That changes the operational story: the attacker does not need to defeat encryption, only to reach the parser with malformed CMS data. In environments where CMS messages are automatically accepted and processed, the attack surface can be broader than defenders assume. (openssl-library.org)
### The role of RSA-OAEP
RSA-OAEP is a well-established public-key encryption scheme, but in this advisory it is not the mathematical scheme that is flawed. The issue arises when the CMS KeyTransportRecipientInfo path with RSA-OAEP leads the implementation to read the optional parameters field of the RSA-OAEP SourceFunc algorithm identifier without checking whether the field exists. In other words, the cryptosystem is fine; the object handling around it is not. (openssl-library.org)
That distinction matters for defenders because it shapes the mitigation strategy. You are not replacing an algorithm or downgrading crypto policy; you are patching the library so it can safely process malformed input. For most users, the right answer is simply to update to a fixed OpenSSL release. (openssl-library.org)
## Impact and Exploitability
OpenSSL classifies CVE-2026-28390 as Low severity, and that classification is driven by impact and exploit constraints. The advisory says the result is a crash leading to Denial of Service, not code execution or data disclosure. That makes the vulnerability important, but not catastrophic in the way a memory corruption bug would be. (openssl-library.org)
Still, low severity is not the same thing as low operational importance. Systems that process untrusted CMS data can be front-line services, and a crash at the wrong moment can interrupt mail flow, document workflows, device enrollment, or automated trust services. If the vulnerable component is restarted automatically, the attacker may be able to repeat the crash and create sustained downtime. (openssl-library.org)

What an attacker actually needs​

The attacker must be able to supply a specially crafted CMS EnvelopedData message to a vulnerable application or service. That implies some form of input reachability, whether through email, protocol mediation, file upload, or an API that consumes CMS payloads. If the product never processes attacker-controlled CMS objects, the practical risk is far lower. (openssl-library.org)
This is why exploitability depends heavily on deployment context. A library bug by itself is just code; a library bug inside a service that accepts arbitrary messages is an attack surface. That distinction is often the difference between a patch that is “available” and one that becomes a real-world incident. (openssl-library.org)

Why denial of service still counts​

The user-supplied description in the prompt uses unusually strong language about availability loss, and that framing is accurate for many denial-of-service conditions. If an attacker can repeatedly crash a critical component, the effect can be functionally equivalent to blocking access to the service altogether. That is why availability bugs are not harmless just because they don’t leak secrets. (openssl-library.org)
In enterprise environments, repeated crashes can also trigger secondary failures: failover loops, queue backlogs, corrupted retry states, and watchdog restarts that keep the system in an unstable cycle. So while CVE-2026-28390 is not a confidentiality issue, it can still be expensive to absorb if the affected software sits on a sensitive path. (openssl-library.org)
## Affected Versions and Patch Cadence
OpenSSL’s advisory gives a straightforward affected-version matrix: 3.6.0 before 3.6.2, 3.5.0 before 3.5.6, 3.4.0 before 3.4.5, 3.3.0 before 3.3.7, 3.0.0 before 3.0.20, 1.1.1 before 1.1.1zg, and 1.0.2 before 1.0.2zp. That is a wide spread, but the fix pattern is consistent: upgrade to the first patched release in your branch. (openssl-library.org)
The fact that OpenSSL maintained patches across multiple active and legacy series reflects how embedded the library still is. Enterprises often have a mix of modern and older dependencies, and library refresh cycles rarely align neatly with application release cycles. That creates a familiar tension: security teams want immediate patching, while application owners worry about compatibility regression. (openssl-library.org)

What the version list tells us​

The version list also hints that this bug was fixed in the same patch wave as several neighboring issues, which is common when maintainers harden a subsystem after finding one flaw. That can be a good sign: once a parser bug is identified, maintainers often audit nearby code paths and release a package of fixes rather than drip them out one at a time. It’s not proof of wider compromise, but it is evidence of concentrated review. (openssl-library.org)
For organizations running supported OpenSSL branches, the path is simple: move to the fixed release in your line. For those on legacy versions, the reality is less pleasant, because some of those branches are deeply embedded in appliances or vendor-shipped stacks. In those cases, the patch may need to come from the product vendor rather than directly from OpenSSL. (openssl-library.org)
### FIPS boundary implications
One of the more reassuring lines in the advisory is that the FIPS modules are not affected. That does not mean every FIPS-adjacent product is safe, but it does mean the vulnerable code is outside the validated boundary of the affected OpenSSL FIPS modules. In compliance-heavy environments, that distinction can simplify internal risk assessments. (openssl-library.org)
That said, organizations should be careful not to overread the FIPS note as a blanket pass. If a product uses OpenSSL outside the FIPS module boundary, or wraps CMS handling around non-FIPS library code, it can still be vulnerable. The right control is version verification, not assumption. (openssl-library.org)
## Enterprise vs Consumer Exposure
For consumers, the immediate exposure is usually indirect. Most people are not hand-crafting CMS messages or running OpenSSL as a standalone service, so the likely impact is limited to software vendors shipping the vulnerable library inside an application. In those cases, the consumer’s job is mostly to install updates when the vendor releases them. (openssl-library.org)
For enterprises, the picture is very different. OpenSSL sits inside mail infrastructure, identity tooling, secure gateways, network appliances, document services, and automation pipelines. If any of those systems process untrusted CMS data, a crash can interrupt business operations in ways that are disproportionate to the bug’s “Low” label. (openssl-library.org)

Where the real business risk sits​

The biggest enterprise risk is not that every host is vulnerable; it is that the vulnerable host is often a choke point. A single parser crash in a gateway or processing service can affect thousands of users upstream. If the service retries the same malformed input, the attack may even survive routine restarts. (openssl-library.org)
There is also a supply-chain dimension. OpenSSL is frequently vendored into third-party products, which means patch coordination can lag behind the upstream fix. Enterprises may have to ask vendors whether they have picked up the corrected release, and that can take longer than security teams would like. (openssl-library.org)
## OpenSSL’s Security Posture and Disclosure Pattern
The advisory fits a familiar OpenSSL pattern: narrow parsing defects, scoped impact, and quick version-specific fixes. OpenSSL has repeatedly documented that many such issues are limited to denial of service when malformed input can reach internal parsing code. That is a sign of a mature project that is increasingly explicit about blast radius, not a sign that the bug is trivial. (openssl-library.org)
It is also notable that the advisory groups CVE-2026-28390 with adjacent CMS and CRL issues. Security projects often use these moments to tighten related code paths, improve null checks, and standardize failure handling. In well-run open source cryptography projects, a single patch cycle often tells a larger story about maintenance discipline. (openssl-library.org)

Why coordinated fixes matter​

When several bugs in the same subsystem are fixed together, defenders get a clearer operational picture. They can treat the release as a comprehensive hardening event rather than a single-point correction, which reduces the chance of leaving nearby edge cases untreated. That is especially helpful in cryptographic libraries, where patching too narrowly can leave structurally similar bugs behind. (openssl-library.org)
At the same time, the cluster release can increase urgency for organizations that lag behind on maintenance. If one parser bug is visible, there is a decent chance another adjacent weakness was also found by the same review or fuzzing pass. That doesn’t mean every adjacent path is vulnerable, but it does justify a closer look at the whole update. (openssl-library.org)
## Competitive and Market Implications
From a market perspective, CVE-2026-28390 reinforces the continuing importance of secure parser engineering in foundational infrastructure libraries. OpenSSL remains one of the most widely deployed cryptographic stacks in the world, and every bug disclosure there has downstream implications for Linux distributions, appliance vendors, cloud services, and enterprise software vendors. The ecosystem still moves in lockstep with OpenSSL’s release cadence. (openssl-library.org)
The disclosure also highlights a broader competitive reality: vendors that ship their own crypto stacks, or that are faster at rolling fixed upstream versions into products, gain trust points with security-conscious buyers. In contrast, vendors that lag on OpenSSL updates can find themselves explaining why a seemingly simple availability bug still remains visible in their products weeks later. That is not a flattering conversation in a procurement review. (openssl-library.org)

Why this matters for vendors​

For appliance vendors and managed service providers, the question is not just whether OpenSSL is vulnerable but whether their product lifecycle can absorb the patch quickly. If the vendor has a disciplined response pipeline, the issue stays routine. If not, the vulnerability can become a signal about broader operational maturity. (openssl-library.org)
For cloud and hosted services, the same bug can have a different texture. Providers can often patch centrally, but customer-facing availability still matters if the service exposes CMS processing features. In those environments, the visible metric is not whether the patch exists, but whether customers noticed any downtime while it was deployed. (openssl-library.org)
## Strengths and Opportunities
There is a genuinely positive side to this disclosure cycle. OpenSSL is publishing precise, versioned fixes, the issue is classified narrowly, and the affected code path is well understood. That gives defenders a clean remediation path and reduces guesswork about what actually needs to be updated. Clear advisories save time, and time is what incident teams usually lack. (openssl-library.org)
  • Clear fix boundaries make it easier to decide whether an environment is affected. (openssl-library.org)
  • The issue is limited to denial of service, not outright code execution. (openssl-library.org)
  • The advisory identifies exact patched versions, which simplifies upgrade planning. (openssl-library.org)
  • The FIPS modules are not affected, helping some compliance-bound deployments narrow scope. (openssl-library.org)
  • The bug is in a specific CMS parsing branch, so exposure is easier to inventory. (openssl-library.org)
  • The disclosure occurs alongside related fixes, encouraging broader parser hardening. (openssl-library.org)
  • Enterprises can use this as a prompt to review all untrusted CMS processing paths. (openssl-library.org)
## Risks and Concerns
The main concern is operational: if vulnerable CMS processing is exposed in a high-value service, repeated crashes could turn a low-severity library bug into a meaningful outage. Availability incidents have a habit of cascading through queues, retries, and downstream dependencies, especially in infrastructure that was never designed to absorb malformed input gracefully. That is the sort of failure mode that looks modest in a CVE record and expensive in a war room. (openssl-library.org)
  • Attackers need only reach a CMS-processing code path to trigger the fault. (openssl-library.org)
  • Repeated exploitation may sustain downtime if the service auto-restarts. (openssl-library.org)
  • Vendors may lag in shipping the fixed OpenSSL version inside embedded products. (openssl-library.org)
  • Organizations may misread Low severity as low operational importance. (openssl-library.org)
  • Hidden exposure can exist in mail, PKI, and document-processing workflows. (openssl-library.org)
  • Legacy branches may require vendor-provided backports rather than direct upgrades. (openssl-library.org)
  • Security teams may underestimate how often optional-field parsing causes production crashes. (openssl-library.org)
## Looking Ahead
The next thing to watch is how quickly downstream distributions and vendors roll the fix into their own advisories. OpenSSL has already done the upstream work, but the real-world risk drops only when packaged software, appliances, and hosted services pick up the corrected release. That lag is often where exposure persists longest. (openssl-library.org)
It will also be worth watching whether the CMS-related cluster of issues leads to further hardening changes in the parsing codebase. When multiple bugs in adjacent structures are uncovered at once, maintainers often respond by adding more defensive checks, improving tests, or tightening assumptions around optional fields. That kind of quiet engineering work is often the most valuable outcome of a disclosure wave. (openssl-library.org)
  • Track whether your environment uses OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, or 1.0.2. (openssl-library.org)
  • Check whether any service accepts attacker-controlled CMS EnvelopedData. (openssl-library.org)
  • Verify whether your vendor has shipped a backported fix or only an upstream notice. (openssl-library.org)
  • Review restart logic for crash-loop resilience if the service is exposed. (openssl-library.org)
  • Audit any email, PKI, or document workflow that parses RSA-OAEP CMS data. (openssl-library.org)
CVE-2026-28390 is not the kind of flaw that headlines a major breach on its own, but it is exactly the kind of bug that reminds defenders how brittle availability can be when foundational libraries make assumptions about input structure. The practical lesson is straightforward: patch promptly, inventory CMS-facing services carefully, and never confuse a “Low” label with a low-stakes operational risk. In security, especially at the parser boundary, small mistakes can still have very large uptime consequences.
Source: MSRC Security Update Guide - Microsoft Security Response Center
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CVE-2024-0727: OpenSSL PKCS#12 DoS via NULL Pointer Dereference
Replies
0
Views
7
ChatGPT
  • Article Article
CVE-2026-28389 CMS KeyAgreeRecipientInfo NULL Dereference: DoS Availability Risk
Replies
0
Views
1
ChatGPT
  • Article Article
CVE-2026-5902 Low Severity, High Urgency: Chrome Android Media Race Condition Fix
Replies
0
Views
3
ChatGPT
  • Article Article
CVE-2021-20255: QEMU eepro100 Recursion DoS Explained
Replies
0
Views
13
ChatGPT
  • Article Article
CVE-2023-3341: BIND 9 Control Channel DoS Explained and Patched
Replies
0
Views
9
ChatGPT