CVE-2026-28390
high
CVSS v3
7.5
CVSS v4 NEW
β
VIR risk
7.5
Description
Moderate: compat-openssl11 security update
Predictions
Exploit likelihood
83%
Patch ETA
β
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata β Red Hat Inc. Β· View original β Β· Open-Errata-API
Description openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing Red Hat statement This CVE has been rated as moderate by redhat because the vulnerability is limited to a denial-of-service condition caused by a NULL pointer dereference in OpenSSL CMS processing, without evidence of memory corruption or code execution, furthermore the Affectedβ¦
Description
openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing
Red Hat statement
This CVE has been rated as moderate by redhat because the vulnerability is limited to a denial-of-service condition caused by a NULL pointer dereference in OpenSSL CMS processing, without evidence of memory corruption or code execution, furthermore the Affected functionality is niche. The vulnerable path requires: CMS/S/MIME processing, specifically CMS_decrypt(), with RSA-OAEP KeyTransportRecipientInfo. Many OpenSSL consumers never use CMS APIs, never process S/MIME, or do not decrypt attacker-controlled CMS objects. So exposure is far narrower than a generic TLS parsing vulnerability.
CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Discovery 2 | discovery/discovery-server-rhel9:1778101579 | RHSA-2026:14937 | 2026-05-07T00:00:00Z |
| Red Hat Hardened Images | openssl-main-3.5.6-0.3.hum1 | RHSA-2026:14217 | 2026-05-06T00:00:00Z |
| Red Hat Hardened Images | openssl-main-3.5.6-0.1.hum1 | RHSA-2026:7261 | 2026-04-09T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Confidential Cluster Operator | confidential-clusters-beta/confidential-cluster-operator-bundle | Affected |
| Confidential Cluster Operator | redhat-user-workloads/attestation-key-register | Affected |
| Confidential Cluster Operator | redhat-user-workloads/buildroot | Affected |
| Confidential Cluster Operator | redhat-user-workloads/compute-pcrs | Affected |
| Confidential Cluster Operator | redhat-user-workloads/confidential-cluster-operator | Affected |
| Confidential Cluster Operator | redhat-user-workloads/registration-server | Affected |
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-operator-bundle | Affected |
| Confidential Compute Attestation | redhat-user-workloads/osc-monitor | Affected |
| Confidential Compute Attestation | redhat-user-workloads/osc-monitor-v1-10 | Not affected |
| Confidential Compute Attestation | redhat-user-workloads/osc-operator | Affected |
| Confidential Compute Attestation | redhat-user-workloads/osc-operator-bundle-v1-10 | Not affected |
| Confidential Compute Attestation | redhat-user-workloads/osc-operator-v1-10 | Not affected |
| Confidential Compute Attestation | redhat-user-workloads/osc-podvm-builder | Affected |
| Confidential Compute Attestation | redhat-user-workloads/osc-podvm-builder-v1-10 | Not affected |
| Confidential Compute Attestation | redhat-user-workloads/osc-podvm-payload | Affected |
| Confidential Compute Attestation | redhat-user-workloads/osc-podvm-payload-v1-10 | Not affected |
| Confidential Compute Attestation | redhat-user-workloads/trustee | Affected |
| Lightspeed Core | lightspeed-core/dataverse-exporter-rhel9 | Affected |
| Logging Subsystem for Red Hat OpenShift | redhat-user-workloads/art-images | Not affected |
| Logging Subsystem for Red Hat OpenShift | redhat-user-workloads/logging-vector-v6-2 | Affected |
| Logging Subsystem for Red Hat OpenShift | redhat-user-workloads/logging-vector-v6-4 | Affected |
| Migration Toolkit for Applications 8 | redhat-user-workloads/art-images | Affected |
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-ocp-rag | Affected |
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-to-dataverse-exporter | Affected |
| OpenShift Service Mesh 3 | redhat-user-workloads/ossm-3-3-ztunnel | Not affected |
| Pen Drive Powered by Red Hat Lightspeed | redhat-user-workloads/pen-drive-scanner | Affected |
| Red Hat 3scale API Management Platform 2 | 3scale-amp21/backend | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp22/backend | Will not fix |
| Red Hat 3scale API Management Platform 2 | 3scale-amp2/backend-rhel8 | Will not fix |
| Red Hat Advanced Cluster Security 4 | rhacs-eng/release-fact | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel8 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/lightspeed-rhel8 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/automation-reports | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/ee-supported-rhel8 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/ee-supported-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/lightspeed-chatbot-rhel8 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/lightspeed-rhel8 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/controller-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/de-minimal-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/eda-controller-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/ee-minimal-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/ee-supported-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/gateway-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/hub-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/lightspeed-chatbot-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/lightspeed-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/mcp-tools-rhel9 | Affected |
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-26/metrics-service-rhel9 | Affected |
| Red Hat Ansible Automation Platform Ansible Core 2 | redhat-user-workloads/ee-minimal-ansible-core-2-18-rhel-8 | Affected |
| Red Hat Ansible Automation Platform Ansible Core 2 | redhat-user-workloads/ee-minimal-ansible-core-2-18-rhel-9 | Affected |
| Red Hat Ansible Automation Platform Ansible Core 2 | redhat-user-workloads/ee-minimal-ansible-core-2-19-rhel-8-tech-preview | Affected |
| Red Hat Ansible Automation Platform Ansible Core 2 | redhat-user-workloads/ee-minimal-ansible-core-2-19-rhel-9-tech-preview | Affected |
| Red Hat Ansible Automation Platform Ansible Core 2 | redhat-user-workloads/ee-minimal-ansible-core-2-20-rhel-8-tech-preview | Affected |
| Red Hat Ansible Automation Platform Ansible Core 2 | redhat-user-workloads/ee-minimal-ansible-core-2-20-rhel-9-tech-preview | Affected |
| Red Hat Connectivity Link 1 | redhat-user-workloads/rhcl-1-3-limitador | Affected |
| Red Hat Directory Server 11 | redhat-ds:11/389-ds-base | Not affected |
| Red Hat Directory Server 12 | redhat-ds:12/389-ds-base | Not affected |
| Red Hat Directory Server 13 | 389-ds-base | Not affected |
| Red Hat Enterprise Linux 10 | 389-ds-base | Not affected |
Apply commands
Apply RHSA-2026:14937 for Red Hat Discovery 2
yum update -y discovery/discovery-server-rhel9:1778101579
# or:
dnf upgrade -y discovery/discovery-server-rhel9:1778101579Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Confidential Cluster Operator | Affected |
| redhat | Confidential Cluster Operator | Affected |
| redhat | Confidential Cluster Operator | Affected |
| redhat | Confidential Cluster Operator | Affected |
| redhat | Confidential Cluster Operator | Affected |
| redhat | Confidential Cluster Operator | Affected |
| redhat | Confidential Compute Attestation | Affected |
| redhat | Confidential Compute Attestation | Affected |
| redhat | Confidential Compute Attestation | Not affected |
| redhat | Confidential Compute Attestation | Affected |
| redhat | Confidential Compute Attestation | Not affected |
| redhat | Confidential Compute Attestation | Not affected |
| redhat | Confidential Compute Attestation | Affected |
| redhat | Confidential Compute Attestation | Not affected |
| redhat | Confidential Compute Attestation | Affected |
| redhat | Confidential Compute Attestation | Not affected |
| redhat | Confidential Compute Attestation | Affected |
| redhat | Lightspeed Core | Affected |
| redhat | Logging Subsystem for Red Hat OpenShift | Not affected |
| redhat | Logging Subsystem for Red Hat OpenShift | Affected |
| redhat | Logging Subsystem for Red Hat OpenShift | Affected |
| redhat | Migration Toolkit for Applications 8 | Affected |
| redhat | OpenShift Lightspeed | Affected |
| redhat | OpenShift Lightspeed | Affected |
| redhat | OpenShift Service Mesh 3 | Not affected |
| redhat | Pen Drive Powered by Red Hat Lightspeed | Affected |
| redhat | Red Hat Advanced Cluster Security 4 | Affected |
| redhat | Red Hat Ansible Automation Platform 2 | Affected |
| redhat | Red Hat Ansible Automation Platform 2 | Affected |
| redhat | Red Hat Ansible Automation Platform 2 | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 3.5.5-1~deb13u2 |
| sid | Fixed | 3.6.2-1 |
| forky | Fixed | 3.6.2-1 |
| bullseye | Affected | β |
| bookworm | Fixed | 3.0.19-1~deb12u2 |
AlmaLinux Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | openssl-devel-3.5.5-3.el9_8.i686.rpm |
| 8 | Fixed | compat-openssl10-1.0.2o-4.el8_10.2.i686.rpm |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
References
- https://github.com/openssl/openssl/commit/01194a8f1941115cd0383bfa91c736dd3993c8bc
- https://github.com/openssl/openssl/commit/2e39b7a6993be445fddb9fbce316fa756e0397b6
- https://github.com/openssl/openssl/commit/af2a5fecd3e71a29e7568f9c1453dec5cebbaff4
- https://github.com/openssl/openssl/commit/ea7b4ea4f9f853521ba34830cbcadc970d2e0788
- https://github.com/openssl/openssl/commit/fd2f1a6cf53b9ceeca723a001aa4b825d7c7ee75
- https://openssl-library.org/news/secadv/20260407.txt
- https://cert-portal.siemens.com/productcert/html/ssa-032379.html
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
- https://www.suse.com/security/cve/CVE-2026-28390.html
- https://security-tracker.debian.org/tracker/CVE-2026-28390
- https://access.redhat.com/errata/RHSA-2026:22315
- https://access.redhat.com/errata/RHSA-2026:22312
- https://access.redhat.com/errata/RHSA-2026:22313
- https://bugzilla.redhat.com/2456314
- https://errata.almalinux.org/8/ALSA-2026-22315.html
- https://errata.almalinux.org/9/ALSA-2026-22312.html
- https://errata.almalinux.org/9/ALSA-2026-22313.html
CWEs
CWE-476
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.