CVE-2026-28389

# PoC Concept: Crafted CMS EnvelopedData with missing parameters import sys from pyasn1.type import univ, namedtype from pyasn1.codec.der import encoder # Simplified ASN.1 structure representation for KeyAgreeRecipientInfo # missing the 'parameters' field in KeyEncryptionAlgorithmIdentifier class MalformedKeyAgreeRecipientInfo(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('version', univ.Integer()), # ... other fields ... # KeyEncryptionAlgorithmIdentifier without 'parameters' would go here ) # Note: This is a conceptual representation. Actual exploitation requires # constructing a full valid DER-encoded CMS blob where the specific # optional parameter is omitted to trigger the NULL deref in OpenSSL. def generate_malformed_cms(): # In a real exploit, this blob would be the crafted CMS data return b"MALFORMED_CMS_DATA" if __name__ == "__main__": print("Generating malformed CMS data for CVE-2026-28389...") data = generate_malformed_cms() print(f"Payload length: {len(data)}") # Send this data to a target application using CMS_decrypt()

{"cve": {"id": "CVE-2026-28389", "sourceIdentifier": "[email protected]", "published": "2026-04-07T22:16:21.030", "lastModified": "2026-05-12T13:17:33.637", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: During processing of a crafted CMS EnvelopedData message\nwith KeyAgreeRecipientInfo a NULL pointer dereference can happen.\n\nImpact summary: Applications that process attacker-controlled CMS data may\ncrash before authentication or cryptographic operations occur resulting in\nDenial of Service.\n\nWhen a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is\nprocessed, the optional parameters field of KeyEncryptionAlgorithmIdentifier\nis examined without checking for its presence. This results in a NULL\npointer dereference if the field is missing.\n\nApplications and services that call CMS_decrypt() on untrusted input\n(e.g., S/MIME processing or CMS-based protocols) are vulnerable.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the affected code is outside the OpenSSL FIPS module boundary."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.2", "versionEndExcluding": "1.0.2zp", "matchCriteriaId": "CE7957CC-80F0-4907-BFB5-AFB6994DDE3C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.1", "versionEndExcluding": "1.1.1zg", "matchCriteriaId": "656A0540-5825-498E-A7AB-C14976FEE45D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.20", "matchCriteriaId": "B28A8143-89A4-4332-A1F8-A65FB5AA829F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.7", "matchCriteriaId": "CF303B21-D9BF-461D-B7B0-A3FE1D557A9F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.5", "matchCriteriaId": "DCCE43D0-8F17-475D-9EE6-842F758A9905"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.6", "matchCriteriaId": "F6BC0271-444D-4597-BF05-DC60034EAA49"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0", "versionEndExcluding": "3.6.2", "matchCriteriaId": "4A9E621D-29D8-418A-BF37-BED333C14507"}]}]}], "references": [{"url": "https://github.com/openssl/openssl/commit/16cea4188e0ea567deb4f93f85902247e67384f5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/785cbf7ea3b5a6f5adf0c1ccb92b79d89c35c616", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/7b5274e812400cacb6f3be4c2df5340923fa807f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/c6725634e089eb2b634b10ede33944be7248172a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/f80f83bc5fd036bc47d773e8b15a001e2b4ce686", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://openssl-library.org/news/secadv/20260407.txt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}]}}