MNBSD-2026-32: NULL dereference processing CMS KeyAgreeRecipientInfo

Severity: Unknown

Affected Package: openssl

Summary: NULL dereference processing CMS KeyAgreeRecipientInfo

Description

Processing a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo can trigger a NULL pointer dereference. Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations, resulting in Denial of Service. Severity: Low (OpenSSL).

Affected Versions

openssl

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2026-28389

Published: June 11, 2026
Last Modified: June 11, 2026