OpenSSL Vulnerability CVE-2026-28390 Allows Denial of Service via Crafted CMS Messages

A newly disclosed vulnerability in OpenSSL enables attackers to crash applications by sending specially crafted CMS (Cryptographic Message Syntax) EnvelopedData messages. Tracked as CVE-2026-28390, the flaw stems from a NULL pointer dereference that occurs when processing KeyTransportRecipientInfo structures with RSA-OAEP encryption. The library fails to verify whether optional parameters within the RSA-OAEP algorithm identifier are present before attempting to access them, triggering an application crash.

The vulnerability affects applications that call CMS_decrypt() on untrusted input, including those handling S/MIME processing or other CMS-based protocols. What makes this flaw particularly dangerous is that the crash occurs before authentication or cryptographic operations complete, meaning unauthenticated remote attackers can exploit systems without prior credentials. The issue resides in the standard cryptographic library code rather than FIPS-compliant modules.

FIPS module implementations across OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0 remain unaffected, as the vulnerable code falls outside the FIPS module boundary. Organizations using affected versions should prioritize patching and implement strict input validation for any externally sourced CMS data until fixes are applied.