{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28390", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "state": "PUBLISHED", "assignerShortName": "openssl", "dateReserved": "2026-02-27T13:45:02.161Z", "datePublished": "2026-04-07T22:00:54.172Z", "dateUpdated": "2026-04-07T22:00:54.172Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSL", "vendor": "OpenSSL", "versions": [{"lessThan": "3.6.2", "status": "affected", "version": "3.6.0", "versionType": "semver"}, {"lessThan": "3.5.6", "status": "affected", "version": "3.5.0", "versionType": "semver"}, {"lessThan": "3.4.5", "status": "affected", "version": "3.4.0", "versionType": "semver"}, {"lessThan": "3.3.7", "status": "affected", "version": "3.3.0", "versionType": "semver"}, {"lessThan": "3.0.20", "status": "affected", "version": "3.0.0", "versionType": "semver"}, {"lessThan": "1.1.1zg", "status": "affected", "version": "1.1.1", "versionType": "custom"}, {"lessThan": "1.0.2zp", "status": "affected", "version": "1.0.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Muhammad Daffa"}, {"lang": "en", "type": "reporter", "value": "Zhanpeng Liu (Tencent Xuanwu Lab)"}, {"lang": "en", "type": "reporter", "value": "Guannan Wang (Tencent Xuanwu Lab)"}, {"lang": "en", "type": "reporter", "value": "Guancheng Li (Tencent Xuanwu Lab)"}, {"lang": "en", "type": "reporter", "value": "Joshua Rogers"}, {"lang": "en", "type": "reporter", "value": "Chanho Kim"}, {"lang": "en", "type": "remediation developer", "value": "Neil Horman"}], "datePublic": "2026-04-07T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Issue summary: During processing of a crafted CMS EnvelopedData message<br>with KeyTransportRecipientInfo a NULL pointer dereference can happen.<br><br>Impact summary: Applications that process attacker-controlled CMS data may<br>crash before authentication or cryptographic operations occur resulting in<br>Denial of Service.<br><br>When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with<br>RSA-OAEP encryption is processed, the optional parameters field of<br>RSA-OAEP SourceFunc algorithm identifier is examined without checking<br>for its presence. This results in a NULL pointer dereference if the field<br>is missing.<br><br>Applications and services that call CMS_decrypt() on untrusted input<br>(e.g., S/MIME processing or CMS-based protocols) are vulnerable.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br>issue, as the affected code is outside the OpenSSL FIPS module boundary."}], "value": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}], "metrics": [{"format": "other", "other": {"content": {"text": "Low"}, "type": "https://openssl-library.org/policies/general/security-policy/"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2026-04-07T22:00:54.172Z"}, "references": [{"name": "OpenSSL Advisory", "tags": ["vendor-advisory"], "url": "https://openssl-library.org/news/secadv/20260407.txt"}, {"name": "3.6.2 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc"}, {"name": "3.5.6 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6"}, {"name": "3.4.5 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788"}, {"name": "3.3.7 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75"}, {"name": "3.0.20 git commit", "tags": ["patch"], "url": "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4"}], "source": {"discovery": "UNKNOWN"}, "title": "Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyTransportRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyTransportRecipientInfo with\nRSA-OAEP encryption is processed, the optional parameters field of\nRSA-OAEP SourceFunc algorithm identifier is examined without checking\nfor its presence. This results in a NULL pointer dereference if the field\nis missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}], "id": "CVE-2026-28390", "lastModified": "2026-04-08T21:27:00.663", "metrics": {}, "published": "2026-04-07T22:16:21.190", "references": [{"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788"}, {"source": "openssl-security@openssl.org", "url": "https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75"}, {"source": "openssl-security@openssl.org", "url": "https://openssl-library.org/news/secadv/20260407.txt"}], "sourceIdentifier": "openssl-security@openssl.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "openssl-security@openssl.org", "type": "Secondary"}]}

{"bugzilla": {"description": "openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing", "id": "2456314", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456314"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in OpenSSL. A remote attacker could exploit this vulnerability by sending a specially crafted Cryptographic Message Syntax (CMS) EnvelopedData message. During the processing of a KeyTransportRecipientInfo with RSA-OAEP encryption, the system attempts to access an optional parameter field without first verifying its presence. This leads to a NULL pointer dereference, which can cause applications processing the attacker-controlled CMS data to crash, resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Applications that process Cryptographic Message Syntax (CMS) EnvelopedData messages should be configured to only accept input from trusted sources. Restricting network access to services that process untrusted CMS data can also reduce exposure to this Denial of Service vulnerability."}, "name": "CVE-2026-28390", "package_state": [{"cpe": "cpe:/a:redhat:confidential_cluster_operator:4", "fix_state": "Affected", "package_name": "confidential-clusters-beta/confidential-cluster-operator-bundle", "product_name": "Confidential Cluster Operator"}, {"cpe": "cpe:/a:redhat:confidential_cluster_operator:4", "fix_state": "Affected", "package_name": "redhat-user-workloads/attestation-key-register", "product_name": "Confidential Cluster Operator"}, {"cpe": "cpe:/a:redhat:confidential_cluster_operator:4", "fix_state": "Affected", "package_name": "redhat-user-workloads/buildroot", "product_name": "Confidential Cluster Operator"}, {"cpe": "cpe:/a:redhat:confidential_cluster_operator:4", "fix_state": "Affected", "package_name": "redhat-user-workloads/compute-pcrs", "product_name": "Confidential Cluster Operator"}, {"cpe": "cpe:/a:redhat:confidential_cluster_operator:4", "fix_state": "Affected", "package_name": "redhat-user-workloads/confidential-cluster-operator", "product_name": "Confidential Cluster Operator"}, {"cpe": "cpe:/a:redhat:confidential_cluster_operator:4", "fix_state": "Affected", "package_name": "redhat-user-workloads/registration-server", "product_name": "Confidential Cluster Operator"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "openshift-sandboxed-containers/osc-operator-bundle", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/osc-monitor", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/osc-monitor-v1-10", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/osc-operator", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/osc-operator-bundle-v1-10", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/osc-operator-v1-10", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/osc-podvm-builder", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/osc-podvm-builder-v1-10", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/osc-podvm-payload", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/osc-podvm-payload-v1-10", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:confidential_compute_attestation:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/trustee", "product_name": "Confidential Compute Attestation"}, {"cpe": "cpe:/a:redhat:lightspeed_core", "fix_state": "Affected", "package_name": "redhat-user-workloads/dataverse-exporter", "product_name": "Lightspeed Core"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Affected", "package_name": "redhat-user-workloads/art-images", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Affected", "package_name": "redhat-user-workloads/logging-vector-v6-2", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Affected", "package_name": "redhat-user-workloads/logging-vector-v6-4", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "redhat-user-workloads/art-images", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-ocp-rag", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-to-dataverse-exporter", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/ossm-3-3-ztunnel", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:pdrive_lightspeed:0", "fix_state": "Affected", "package_name": "redhat-user-workloads/pen-drive-scanner", "product_name": "Pen Drive Powered by Red Hat Lightspeed"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp21/backend", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp22/backend", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp2/backend-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "rhacs-eng/release-fact", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/automation-reports", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/de-minimal-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/eda-controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ee-minimal-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ee-supported-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ee-supported-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/hub-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-chatbot-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/mcp-tools-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/metrics-service-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_core:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ee-minimal-ansible-core-2-18-rhel-8", "product_name": "Red Hat Ansible Automation Platform Ansible Core 2"}, {"cpe": "cpe:/a:redhat:ansible_core:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ee-minimal-ansible-core-2-18-rhel-9", "product_name": "Red Hat Ansible Automation Platform Ansible Core 2"}, {"cpe": "cpe:/a:redhat:ansible_core:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ee-minimal-ansible-core-2-19-rhel-8-tech-preview", "product_name": "Red Hat Ansible Automation Platform Ansible Core 2"}, {"cpe": "cpe:/a:redhat:ansible_core:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ee-minimal-ansible-core-2-19-rhel-9-tech-preview", "product_name": "Red Hat Ansible Automation Platform Ansible Core 2"}, {"cpe": "cpe:/a:redhat:ansible_core:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ee-minimal-ansible-core-2-20-rhel-8-tech-preview", "product_name": "Red Hat Ansible Automation Platform Ansible Core 2"}, {"cpe": "cpe:/a:redhat:ansible_core:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/ee-minimal-ansible-core-2-20-rhel-9-tech-preview", "product_name": "Red Hat Ansible Automation Platform Ansible Core 2"}, {"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/rhcl-1-3-limitador", "product_name": "Red Hat Connectivity Link 1"}, {"cpe": "cpe:/a:redhat:directory_server:11", "fix_state": "Not affected", "package_name": "redhat-ds:11/389-ds-base", "product_name": "Red Hat Directory Server 11"}, {"cpe": "cpe:/a:redhat:directory_server:12", "fix_state": "Not affected", "package_name": "redhat-ds:12/389-ds-base", "product_name": "Red Hat Directory Server 12"}, {"cpe": "cpe:/a:redhat:directory_server:13", "fix_state": "Not affected", "package_name": "389-ds-base", "product_name": "Red Hat Directory Server 13"}, {"cpe": "cpe:/a:redhat:discovery:2::el9", "fix_state": "Affected", "package_name": "redhat-user-workloads/discovery-server", "product_name": "Red Hat Discovery 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "bootc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Will not fix", "package_name": "clevis-pin-tpm2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "keylime-agent-rust", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "mesa", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "python3.14-cryptography", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rpm-ostree", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "ruby4.0", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rust-afterburn", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rust-bootupd", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rust-sequoia-sq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rust-sequoia-sqv", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "s390utils", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "shim-unsigned-aarch64", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "shim-unsigned-x64", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "trustee", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "virt-firmware-rs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "ovmf", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "389-ds:1.4/389-ds-base", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "compat-openssl10", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mingw-openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3.12-cryptography", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "rpm-ostree", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "ruby:3.3/ruby", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "shim-unsigned-x64", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "bootc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "compat-openssl11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "keylime-agent-rust", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "mesa", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.12-cryptography", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.14-cryptography", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rpm-ostree", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "ruby:3.3/ruby", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ruby:4.0/ruby", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rust-bootupd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rust-rpm-sequoia", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "shim-unsigned-aarch64", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "shim-unsigned-x64", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "python-cryptography/python-cryptography", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "syft/syft", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "openssl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:offline_knowledge_portal:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/rhokp-core-encrypted", "product_name": "Red Hat Offline Knowledge Portal"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-fms-guardrails-orchestrator-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-llm-d-inference-scheduler-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-ml-pipelines-runtime-generic-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-model-registry-job-async-upload-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-vllm-orchestrator-gateway-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "conmon-rs", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "kata-containers", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rpm-ostree", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rust-bootupd", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_update_service:5", "fix_state": "Affected", "package_name": "redhat-user-workloads/osus-operand", "product_name": "Red Hat OpenShift Update Service"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/quay-quay-v3-10", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/quay-quay-v3-12", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/quay-quay-v3-13", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/quay-quay-v3-14", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/quay-quay-v3-15", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/quay-quay-v3-16", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/quay-quay-v3-17", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/quay-quay-v3-9", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "redhat-user-workloads/iop-advisor-backend-sat-6-18", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "redhat-user-workloads/iop-advisor-engine", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "redhat-user-workloads/iop-host-inventory-sat-6-18", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "redhat-user-workloads/iop-vmaas-sat-6-18", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "redhat-user-workloads/iop-vulnerability-engine-sat-6-18", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "securesign/cli-tuftool", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "securesign/tuffer", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_profile_analyzer:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/rhtpa-product-0-3-z", "product_name": "Red Hat Trusted Profile Analyzer"}], "public_date": "2026-04-07T22:00:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28390\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28390\nhttps://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc\nhttps://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6\nhttps://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4\nhttps://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788\nhttps://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75\nhttps://openssl-library.org/news/secadv/20260407.txt"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.6.0,3.6.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.5.0,3.5.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.4.0,3.4.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.3.0,3.3.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.0.20)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.1.1,1.1.1zg)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0.2,1.0.2zp)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenSSL", "source": "cna", "vendor": "OpenSSL"}, "product": "openssl", "vendor": "openssl"}], "analysis": {"en": {"generated_at": "2026-04-09T01:51:31.193560+00:00", "value": {"mitigation_remediation": ["Apply the latest OpenSSL release that incorporates the commits linked in the advisory; these changes address the unchecked pointer dereference.", "If an upgrade cannot be performed immediately, prevent processing of KeyTransportRecipientInfo in untrusted CMS data or enforce strict input validation before calling CMS_decrypt().", "Confirm that the environment is not using the FIPS module version, which is not affected.", "Stay current with future advisories and patch promptly when a new release is issued."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw resides in the CMS implementation of the OpenSSL library for all non\u2011FIPS builds. Any program that processes CMS data via CMS_decrypt(), such as S/MIME handlers or other CMS\u2011based protocols, is potentially vulnerable. The FIPS modules (3.6, 3.5, 3.4, 3.3 and 3.0) are unaffected because the vulnerable code lies outside the FIPS boundary.", "description_and_impact": "A crafted CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA\u2011OAEP can trigger a NULL pointer dereference when the optional parameters field of the RSA\u2011OAEP algorithm identifier is missing and examined without a null check. The failure occurs before authentication or cryptographic operations, leading to a crash of the application and a denial\u2011of\u2011service condition. The weakness is a classic NULL pointer dereference (CWE\u2011476).", "risk_and_exploitability": "The CVSS score of 7.5 reflects a high\u2011severity impact, yet the EPSS score is below 1\u202f% and the issue is not listed in CISA\u2019s KEV catalog, suggesting low current exploitation activity. An attacker would need to supply a malicious CMS EnvelopedData message to a vulnerable application; a successful exploit would cause an application crash and downtime. Proper input validation or disallowing the processing of KeyTransportRecipientInfo from untrusted sources mitigates the risk, but the most reliable defense is applying the vendor patch."}}}}, "created": "2026-04-08T19:33:54.727159+00:00", "updated": "2026-04-09T08:28:36.943861+00:00", "vendors": ["openssl", "openssl$PRODUCT$openssl"]}