Main Vulnerability Database Vulnerabilities #VU125565

#VU125565 NULL pointer dereference in OpenSSL - CVE-2026-28388

Published: April 9, 2026

Vulnerability identifier: #VU125565

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-28388

CWE-ID: CWE-476

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenSSL

Software vendor:
OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to NULL pointer dereference in delta CRL processing during X.509 certificate verification when processing a malformed delta CRL that contains a Delta CRL Indicator extension but lacks a CRL Number extension. A remote attacker can provide a malformed CRL to cause a denial of service.

Exploitation requires delta CRL processing to be enabled in the verification context and the certificate or base CRL to indicate freshest CRL processing.

Remediation

Install security update from vendor's website.

External links

https://openssl-library.org/news/secadv/20260407.txt

#VU125565 NULL pointer dereference in OpenSSL - CVE-2026-28388

Description

Remediation

External links

Please verify you're human