The vulnerability is a NULL pointer dereference in the OpenSSL CMP client when it processes a crafted CMP response. An attacker who controls a CMP server or can perform a man‑in‑the‑middle attack can send a response that includes a CRMF CertRepMessage with an EncryptedValue structure where the symmAlg field contains an algorithm OID but no parameters field. During decryption, the library dereferences a null pointer and the client crashes. The crash results in a denial of service; the application terminates and any services relying on it become unavailable. No confidentiality or integrity impact is disclosed.

Affected systems are any installations that use the OpenSSL library for CMP client functionality. The vulnerability is present in the non‑FIPS portion of the OpenSSL source code and applies to all supported releases of OpenSSL that include the CMP client code. The 4.0, 3.6, 3.5, 3.4, and 3.0 FIPS modules are not affected because the flawed code resides outside the FIPS boundary. Applications that parse untrusted CMP/CRMF messages and use the OpenSSL CMP client are at risk.

The flaw has a CVSS score of 5.9, but the EPSS score is unavailable and the vulnerability is not listed in the official CISA KEV catalog. The conditional exploit requires the attacker to control a CMP server or act as a man‑in‑the‑middle, which limits exposure to environments where CMP traffic is not rigorously authenticated. Because the vulnerability causes only a crash and not arbitrary code execution, the attack surface is moderate. Nonetheless, any service using the exposed CMP client could experience downtime, so the risk to availability warrants prompt patching.