CVE-2026-28389 Overview
CVE-2026-28389 is a Null Pointer Dereference vulnerability affecting OpenSSL's Cryptographic Message Syntax (CMS) implementation. During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo, a NULL pointer dereference can occur when the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without first checking for its presence.
Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur, resulting in Denial of Service (DoS). Services calling CMS_decrypt() on untrusted input, such as S/MIME email processing or CMS-based protocols, are particularly vulnerable to this issue.
Critical Impact
Applications and services processing untrusted CMS EnvelopedData messages can be crashed by an attacker, leading to denial of service conditions before any authentication or cryptographic validation takes place.
Affected Products
- OpenSSL (versions prior to security patches released April 2026)
- Applications using CMS_decrypt() on untrusted input
- S/MIME processing services and CMS-based protocol implementations
Discovery Timeline
- April 7, 2026 - CVE-2026-28389 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-28389
Vulnerability Analysis
The vulnerability exists in OpenSSL's CMS (Cryptographic Message Syntax) implementation, specifically within the DH and ECDH key agreement processing code in crypto/cms/cms_dh.c and crypto/cms/cms_ec.c. When processing a CMS EnvelopedData structure that uses KeyAgreeRecipientInfo, the code directly accesses the alg->parameter field without first verifying that the parameter exists.
The flaw is classified as CWE-476 (NULL Pointer Dereference). An attacker can craft a malicious CMS EnvelopedData message with a missing optional parameters field in the KeyEncryptionAlgorithmIdentifier. When the vulnerable application attempts to process this message, the code dereferences the NULL pointer, causing an immediate application crash.
Importantly, the FIPS modules in OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0 are not affected by this issue, as the vulnerable code exists outside the OpenSSL FIPS module boundary.
Root Cause
The root cause is improper validation of optional ASN.1 fields before dereferencing. The original code directly accessed alg->algorithm and alg->parameter->type without first calling X509_ALGOR_get0() to safely extract and validate these values. When the optional parameters field is absent (NULL), attempting to access alg->parameter->type or alg->parameter->value.sequence->data results in a NULL pointer dereference.
Attack Vector
An attacker can exploit this vulnerability by sending a specially crafted CMS EnvelopedData message to an application that processes CMS data. The attack requires:
- Target application calls CMS_decrypt() on attacker-controlled input
- Attacker crafts CMS EnvelopedData with KeyAgreeRecipientInfo containing a malformed KeyEncryptionAlgorithmIdentifier structure
- The structure omits the optional parameters field that the vulnerable code expects
- Processing triggers NULL pointer dereference, crashing the application
Common attack surfaces include email servers processing S/MIME encrypted messages, web services accepting CMS-encrypted payloads, and any application using OpenSSL's CMS API for decryption.
// Security patch in crypto/cms/cms_ec.c - Fix NULL deref in [ec]dh_cms_set_shared_info
int plen, keylen;
EVP_CIPHER *kekcipher = NULL;
EVP_CIPHER_CTX *kekctx;
+ const ASN1_OBJECT *aoid = NULL;
+ int ptype = 0;
+ const void *parameter = NULL;
+
char name[OSSL_MAX_NAME_SIZE];
if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
return 0;
- if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) {
+ X509_ALGOR_get0(&aoid, &ptype, ¶meter, alg);
+
+ if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(aoid))) {
ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR);
return 0;
}
- if (alg->parameter->type != V_ASN1_SEQUENCE)
+ if (ptype != V_ASN1_SEQUENCE)
return 0;
- p = alg->parameter->value.sequence->data;
- plen = alg->parameter->value.sequence->length;
+ p = ASN1_STRING_get0_data(parameter);
+ plen = ASN1_STRING_length(parameter);
kekalg = d2i_X509_ALGOR(NULL, &p, plen);
if (kekalg == NULL)
Source: GitHub OpenSSL Commit
Detection Methods for CVE-2026-28389
Indicators of Compromise
- Application crashes or core dumps in OpenSSL-linked processes during CMS decryption operations
- Segmentation fault errors in log files referencing cms_dh.c or cms_ec.c functions
- Increased crash rates in S/MIME processing or email gateway services
- Service availability disruptions correlated with receipt of specific encrypted messages
Detection Strategies
- Monitor application logs for segmentation faults and crashes in processes that perform CMS decryption
- Implement crash telemetry to detect patterns of NULL pointer dereference crashes in OpenSSL-dependent services
- Deploy input validation at network perimeters to identify malformed CMS structures before they reach vulnerable applications
- Use memory sanitizers (AddressSanitizer, Valgrind) in development and testing to catch NULL dereferences early
Monitoring Recommendations
- Enable core dump collection and analysis for services processing CMS/S/MIME data
- Set up alerting for unusual crash rates in email processing or encrypted message handling services
- Monitor OpenSSL error logs for CMS_R_KDF_PARAMETER_ERROR messages which may indicate exploitation attempts
- Implement availability monitoring for CMS-dependent services to detect DoS conditions
How to Mitigate CVE-2026-28389
Immediate Actions Required
- Update OpenSSL to the latest patched version that includes the fix for CVE-2026-28389
- Identify all applications in your environment that use CMS_decrypt() on untrusted input
- Prioritize patching S/MIME email processing services and CMS-based API endpoints
- Consider implementing rate limiting on CMS decryption endpoints to reduce DoS impact
Patch Information
OpenSSL has released security patches addressing this vulnerability. Multiple commits have been published to fix the NULL pointer dereference in both the DH and ECDH CMS key agreement implementations. The fix uses X509_ALGOR_get0() to safely extract algorithm parameters before accessing them, and validates the parameter type before dereferencing.
Refer to the OpenSSL Security Advisory for official guidance on affected versions and upgrade paths. The following commits contain the fix for different OpenSSL branches:
Workarounds
- Restrict CMS decryption services to only accept messages from trusted, authenticated sources
- Implement pre-validation of CMS message structure before passing to CMS_decrypt()
- Deploy network-level filtering to block malformed CMS/ASN.1 structures at the perimeter
- Run CMS processing services in isolated environments with process restart capabilities to minimize DoS impact
# Configuration example - Verify OpenSSL version after patching
openssl version -a
# Check if your OpenSSL includes the security fix
# Look for commit hashes in the build metadata or verify version number
# against the OpenSSL security advisory
# Identify processes using OpenSSL for CMS operations
lsof | grep libssl | awk '{print $1}' | sort -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
