CVE-2026-28386 Overview
CVE-2026-28386 is an Out-of-Bounds Read vulnerability affecting OpenSSL's AES-CFB128 encryption and decryption implementation on x86-64 systems with AVX-512 and VAES instruction support. When processing partial cipher blocks, the vulnerable code path can trigger an out-of-bounds read of up to 15 bytes, potentially causing application crashes and Denial of Service conditions.
Critical Impact
Applications using AES-CFB128 encryption may crash when processing partial blocks if the input buffer ends at a memory page boundary and the following page is unmapped, leading to Denial of Service.
Affected Products
- OpenSSL (versions with AVX-512/VAES optimized code paths)
- OpenSSL FIPS module version 3.6
- x86-64 systems with AVX-512 and VAES instruction support
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-28386 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-28386
Vulnerability Analysis
This vulnerability exists in OpenSSL's optimized AES-CFB128 implementation that uses AVX-512 and VAES instructions for improved cryptographic performance. The flaw manifests when handling partial cipher blocks—specifically when a previous encryption or decryption call left an incomplete block and the current call provides fewer bytes than needed to complete it.
The out-of-bounds read occurs because the vulnerable code path reads beyond the allocated input buffer boundary. While this over-read can extend up to 15 bytes past the intended buffer, there is no information disclosure risk as the over-read bytes are not written to the output. However, if the input buffer ends at a memory page boundary and the subsequent page is unmapped, the over-read will trigger a segmentation fault, causing the application to crash.
It's important to note that CFB mode is not used in TLS/DTLS protocols, which instead rely on CBC, GCM, CCM, or ChaCha20-Poly1305 cipher modes. This significantly limits the real-world attack surface of this vulnerability.
Root Cause
The root cause lies in the aes-cfb-avx512.pl assembly code that handles partial block processing. The original implementation used unmasked vmovdqu8 instructions to load data from the initialization vector (IV) and input buffer, which would read a full 16-byte XMM register regardless of how many valid bytes were actually present in the partial block.
Attack Vector
The attack vector requires the following specific conditions to be met:
- The target application must use OpenSSL's AES-CFB128 cipher mode
- The system must be an x86-64 architecture with AVX-512 and VAES instruction support
- The application must process partial cipher blocks (incomplete block from previous call)
- The input buffer must be positioned at a page boundary with the following page unmapped
The combination of these requirements makes exploitation difficult but possible in specific deployment scenarios where memory layout can be influenced or predicted.
and \$0x0F,%al # wrap-around $num in a 16-byte block
leaq ($num,$ivp),%r11 # process $left iv bytes
- vmovdqu8 (%r11),%xmm0
- vmovdqu8 ($inp),%xmm1 # process $left input bytes
+ vmovdqu8 (%r11),%xmm0{%k1}{z}
+ vmovdqu8 ($inp),%xmm1{%k1}{z} # process $left input bytes
vpxor %xmm0,%xmm1,%xmm2 # CipherFeedBack XOR
vmovdqu8 %xmm2,($out){%k1} # write $left output bytes
vmovdqu8 %xmm2,(%r11){%k1} # blend $left output bytes into iv
Source: GitHub OpenSSL Commit
The fix adds the {%k1}{z} mask suffix to the vmovdqu8 instructions, ensuring that only the valid bytes (determined by the k1 mask register) are loaded, with any remaining bytes zeroed rather than read from potentially invalid memory locations.
Detection Methods for CVE-2026-28386
Indicators of Compromise
- Unexplained application crashes in processes using OpenSSL AES-CFB128 encryption
- Segmentation fault errors in log files associated with cryptographic operations
- Core dumps showing crashes within OpenSSL's AVX-512 code paths
Detection Strategies
- Monitor for repeated SIGSEGV signals in applications linked against OpenSSL
- Implement memory fault detection for applications using AES-CFB128 cipher operations
- Audit system capabilities for AVX-512 and VAES support using cat /proc/cpuinfo | grep -E "avx512|vaes"
- Review application logs for cryptographic operation failures during partial block processing
Monitoring Recommendations
- Deploy application crash monitoring for services using OpenSSL cryptographic functions
- Enable core dump collection and analysis for affected services
- Monitor system stability metrics on x86-64 servers with AVX-512/VAES capabilities
- Set up alerts for recurring segmentation faults in production environments
How to Mitigate CVE-2026-28386
Immediate Actions Required
- Identify all systems running OpenSSL with AVX-512 and VAES support using grep -E "avx512|vaes" /proc/cpuinfo
- Inventory applications that utilize AES-CFB128 cipher mode
- Apply the OpenSSL security patch as soon as available for your distribution
- Consider disabling AVX-512 optimizations via the OPENSSL_ia32cap environment variable as a temporary workaround
Patch Information
The vulnerability has been addressed in the official OpenSSL commit 61f428a2fc6671ede184a19f71e6e495f0689621. The patch modifies the crypto/aes/asm/aes-cfb-avx512.pl assembly code to use masked memory load instructions, preventing out-of-bounds reads during partial block processing. Review the OpenSSL Security Advisory for additional guidance and affected version information.
Workarounds
- Disable AVX-512 code paths by setting OPENSSL_ia32cap=:~0x200000 environment variable
- Switch to alternative cipher modes (GCM, CCM, or ChaCha20-Poly1305) where possible
- Ensure input buffers are not allocated at memory page boundaries
- Deploy applications in containers with memory protection boundaries
# Configuration example
# Disable AVX-512 optimizations for OpenSSL as a temporary workaround
export OPENSSL_ia32cap=":~0x200000"
# Verify AVX-512/VAES capability on your system
grep -E "avx512|vaes" /proc/cpuinfo
# Check OpenSSL version
openssl version -a
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
