OpenSSL CVE-2026-28390: Denial-of-Service Vulnerability in CMS EnvelopedData Hits WFA Cross-Media Measurement Project

A critical vulnerability in OpenSSL, tracked as CVE-2026-28390, has triggered active code-scanning alerts within a major industry consortium's software project. The flaw, a NULL pointer dereference in CMS EnvelopedData processing, can lead to a denial-of-service condition, potentially crashing applications that parse malformed cryptographic messages. This is not a theoretical threat; automated security tools have flagged the issue in the live codebase of the World Federation of Advertisers' (WFA) Cross-Measurement project, indicating the vulnerable code is present and requires immediate remediation.

The vulnerability's impact is being tracked through specific GitHub security alerts (#5971 and #5959) linked to the project's `nightly/20260420.1` release tag. The WFA's project, which handles sensitive cross-platform advertising measurement data, now faces the operational pressure of patching its dependencies. The presence of this CVE in a production-related code snapshot underscores how foundational cryptographic libraries like OpenSSL, when compromised, create direct security debt for downstream applications that rely on them.

For development and security teams, this incident serves as a live case study in software supply chain risk. It highlights the urgency of integrating automated code scanning and dependency management, especially for consortium-led projects where security oversight must be coordinated across multiple stakeholders. The focus now shifts to the project maintainers to apply the OpenSSL patch, review the affected code paths, and close the alerts before the vulnerability can be exploited in any deployment.