How to fix CVE-2026-28389?

Within 24 hours: Identify all systems running OpenSSL 1.0.2, 1.1.1, 3.0.x, 3.3.x, 3.4.x, 3.5.x, or 3.6.x (use `openssl version` command). Within 7 days: Apply vendor patches-upgrade to OpenSSL 1.0.2zp, 1.1.1zg, 3.0.20, 3.3.7, 3.4.5, 3.5.6, or 3.6.2 depending on current version. Prioritize S/MIME processors, email servers, and CMS-dependent applications. Within 30 days: Validate patching completion across all infrastructure, test S/MIME and encrypted message handling post-patch.

Is Null Pointer Dereference affected by CVE-2026-28389?

OpenSSL versions 1.0.2 through 3.6 contain a null pointer dereference in CMS EnvelopedData processing that allows unauthenticated attackers to crash S/MIME and CMS-enabled applications, disrupting email security and encrypted communication services.

CVE-2026-28389

EUVD-2026-19965 HIGH

2026-04-07 openssl

GHSA-7x88-9hgc-69gf

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 22:16 euvd

EUVD-2026-19965

Analysis Generated

Apr 07, 2026 - 22:16 vuln.today

Patch Released

Apr 07, 2026 - 22:16 nvd

Patch available

CVE Published

Apr 07, 2026 - 22:00 nvd

HIGH 7.5

Description

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Analysis

Null pointer dereference in OpenSSL 1.0.2 through 3.6 CMS EnvelopedData processing crashes applications before authentication when KeyAgreeRecipientInfo messages lack optional parameters field. Unauthenticated remote attackers can trigger denial of service against S/MIME processors and CMS-based protocol handlers calling CMS_decrypt() on untrusted input. …

Remediation

Within 24 hours: Identify all systems running OpenSSL 1.0.2, 1.1.1, 3.0.x, 3.3.x, 3.4.x, 3.5.x, or 3.6.x (use `openssl version` command). Within 7 days: Apply vendor patches-upgrade to OpenSSL 1.0.2zp, 1.1.1zg, 3.0.20, 3.3.7, 3.4.5, 3.5.6, or 3.6.2 depending on current version. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2026-28389 vulnerability details – vuln.today

Back

CVE-2026-28389

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-28389

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code