CVE-2026-28388 — NULL Pointer Dereference in Openssl

CWE-476 — NULL Pointer Dereference19 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 91.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Msrc Azl3 Openssl 3.3.5-4 ON Azure Linux 3.0

Timeline

PublishedApr 7

Latest updateApr 9

Description

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it.…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/openssl< openssl 3.0.19-1~deb12u2 (bookworm)

▶CVEListV5openssl/openssl3.6.0 — 3.6.2+6

▶Alpineopenssl/openssl< 3.5.6-r0+1

▶Debianopenssl/openssl< 3.0.19-1~deb12u2+1

▶msrcmsrc/azl3_openssl_3.3.5-4_on_azure_linux_3.0

🔴Vulnerability Details

GHSA

GHSA-rpg5-467j-c25q: Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL↗2026-04-08

▶

OSV

CVE-2026-28388: Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL↗2026-04-07

▶

OSV

CVE-2026-28388: Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL↗2026-04-07

▶

OSV

CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL↗2026-04-07

▶

📋Vendor Advisories

Ubuntu

OpenSSL vulnerabilities↗2026-04-09

▶

Ubuntu

OpenSSL vulnerabilities↗2026-04-08

▶

Red Hat

openssl: OpenSSL: Denial of Service due to NULL pointer dereference in delta CRL processing↗2026-04-07

▶

Microsoft

NULL Pointer Dereference When Processing a Delta CRL↗2026-04-02

▶

Debian

CVE-2026-28388: openssl - Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28388 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-28386 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-28387 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-28389 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-28390 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-28388 openssl: OpenSSL: Denial of Service due to NULL pointer dereference in delta CRL processing↗2026-03-25

▶