CVE-2026-28388 - Vulnerability Details

- NULL Pointer Dereference When Processing a Delta CRL

Description

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension
is processed a NULL pointer dereference might happen if the required CRL
Number extension is missing.

Impact summary: A NULL pointer dereference can trigger a crash which
leads to a Denial of Service for an application.

When CRL processing and delta CRL processing is enabled during X.509
certificate verification, the delta CRL processing does not check
whether the CRL Number extension is NULL before dereferencing it.
When a malformed delta CRL file is being processed, this parameter
can be NULL, causing a NULL pointer dereference.

Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in
the verification context, the certificate being verified to contain a
freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and
an attacker to provide a malformed CRL to an application that processes it.

The vulnerability is limited to Denial of Service and cannot be escalated to
achieve code execution or memory disclosure. For that reason the issue was
assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the affected code is outside the OpenSSL FIPS module boundary.

Published: 2026-04-07

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A null pointer dereference can occur during delta CRL parsing when a Delta CRL Indicator extension is present but the required CRL Number extension is missing. This leads the OpenSSL code to dereference a null pointer, causing the application to crash and resulting in a denial of service. The flaw is classified as CWE‑476 and, according to the vendor’s security policy, is assessed as low severity even though the CVSS score is 7.5.

Affected Systems

The vulnerability affects all OpenSSL versions that support delta CRL verification when the X509_V_FLAG_USE_DELTAS flag is enabled. Any build that processes delta CRLs can be impacted; the FIPS-modified releases (3.0, 3.3, 3.4, 3.5, and 3.6) are explicitly not affected because the code lies outside the FIPS boundary.

Risk and Exploitability

The CVSS score of 7.5 suggests a serious impact, but the vendor’s low‑severity classification reflects the limited attack surface. The EPSS score is under 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of wild exploitation. An attacker must have a verification context that enables delta CRL processing, supply a certificate that includes a freshestCRL extension or a base CRL marked with EXFLAG_FRESHEST, and deliver a malformed delta CRL to trigger the crash. No escalation to code execution or memory disclosure is possible, so the risk is primarily a targeted denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenSSL

unaffected

Version	Status	Constraints
`3.6.0`	affected	< 3.6.2
`3.5.0`	affected	< 3.5.6
`3.4.0`	affected	< 3.4.5
`3.3.0`	affected	< 3.3.7
`3.0.0`	affected	< 3.0.20
`1.1.1`	affected	< 1.1.1zg
`1.0.2`	affected	< 1.0.2zp

Configuration 1 [-]

OR	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::

No data.

Vendor Product Confidence Versions

Openssl

100%

Version	Status	Scheme	Platform
`[3.6.0,3.6.2)`	affected	semver	—
`[3.5.0,3.5.6)`	affected	semver	—
`[3.4.0,3.4.5)`	affected	semver	—
`[3.3.0,3.3.7)`	affected	semver	—
`[3.0.0,3.0.20)`	affected	semver	—
`[1.1.1,1.1.1zg)`	affected	generic	—
`[1.0.2,1.0.2zp)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patched OpenSSL release that removes the null‑dereference bug, making sure the relevant commit hashes (e.g., 59c3b3158, 5a0b49307) are present in the build.
If a patch cannot be applied immediately, disable delta CRL support by clearing X509_V_FLAG_USE_DELTAS or remove freshestCRL extensions from certificates to avoid processing delta CRLs.
Monitor application logs for CRL parsing crashes and confirm that the vulnerability has been mitigated after a patch or configuration change.

Generated by OpenCVE AI on April 10, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6201-1	openssl security update
Ubuntu USN	USN-8155-1	OpenSSL vulnerabilities
Ubuntu USN	USN-8155-2	OpenSSL vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://cert-portal.siemens.com/productcert/html/ssa-032379.html
https://cert-portal.siemens.com/productcert/html/ssa-265688.html
https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e
https://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139
https://github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3
https://github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8
https://github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726
https://nvd.nist.gov/vuln/detail/CVE-2026-28388
https://openssl-library.org/news/secadv/20260407.txt
https://www.cve.org/CVERecord?id=CVE-2026-28388

History

Tue, 12 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
References		https://cert-portal.siemens.com/productcert/html/ssa-032379.html https://cert-portal.siemens.com/productcert/html/ssa-265688.html

Thu, 23 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:openssl:openssl::::::::

Fri, 10 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-28388 https://www.cve.org/CVERecord?id=CVE-2026-28388
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openssl Openssl openssl
Vendors & Products		Openssl Openssl openssl

Tue, 07 Apr 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Title		NULL Pointer Dereference When Processing a Delta CRL
Weaknesses		CWE-476
References		https://github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e https://github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139 https://github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3 https://github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8 https://github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726 https://openssl-library.org/news/secadv/20260407.txt

Subscriptions

Openssl Openssl

MITRE

Status: PUBLISHED

Assigner: openssl

Published: 2026-04-07T22:00:52.382Z

Updated: 2026-05-12T12:08:59.931Z

Reserved: 2026-02-27T13:45:02.161Z

Link: CVE-2026-28388

Vulnrichment

Updated: 2026-04-10T20:18:34.089Z

NVD

Status : Modified

Published: 2026-04-07T22:16:20.863

Modified: 2026-05-12T13:17:33.453

Link: CVE-2026-28388

Redhat

Severity : Low

Publid Date: 2026-04-07T00:00:00Z

Links: CVE-2026-28388 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-13T14:26:16Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object