OpenSSL NULL Pointer Dereference Vulnerability CVE-2026-28389 Exposes CMS Processing to Denial of Service

A critical NULL pointer dereference vulnerability has been identified in OpenSSL's handling of CMS EnvelopedData messages, potentially enabling remote denial of service attacks against applications that process untrusted cryptographic data. The flaw, tracked as CVE-2026-28389, specifically targets the KeyAgreeRecipientInfo processing path within the library's CMS decryption routines.

The vulnerability arises when OpenSSL processes a crafted CMS EnvelopedData message containing KeyAgreeRecipientInfo without properly validating the presence of the optional parameters field in the KeyEncryptionAlgorithmIdentifier. When this field is absent, the code attempts to examine it without first checking for its existence, triggering a NULL pointer dereference that causes the application to crash. Any software that invokes CMS_decrypt() on attacker-controlled input—including S/MIME email processing, CMS-based authentication protocols, or other cryptographic message handling systems—may be vulnerable to exploitation. An unauthenticated remote attacker could potentially trigger this condition by delivering a specially crafted CMS message to a susceptible application.

The NVD entry confirms that OpenSSL FIPS modules across versions 3.6, 3.5, 3.4, 3.3, and 3.0 are not affected by this issue, as the vulnerable code resides outside the FIPS module boundary. This distinction is significant for organizations operating under FIPS compliance requirements. The vulnerability poses a moderate-to-high risk to enterprise environments relying on OpenSSL for secure communications, particularly where S/MIME or CMS-based protocols handle external or unverified data sources. Administrators should monitor for official patches from the OpenSSL project and apply mitigations consistent with vendor guidance.