CVE‑2026‑28389 Spike

CVE‑2026‑28389 surged to the top of security coverage this week after maintainers disclosed an OpenSSL bug that can crash software handling crafted encrypted messages. (nvd.nist.gov) The bug sits in OpenSSL’s Cryptographic Message Syntax code, a format used for signed or encrypted blobs in systems such as Secure/Multipurpose Internet Mail Extensions and other certificate-based workflows. NIST’s National Vulnerability Database says a malformed `EnvelopedData` message can trigger a null-pointer dereference before authentication or cryptographic checks finish. (nvd.nist.gov) CISA’s Authorized Data Publisher score rates the flaw 7.5 out of 10, or high severity, with network attack vector, low attack complexity, no privileges, and no user interaction. The same NIST entry says the impact is denial of service, not confirmed code execution. (nvd.nist.gov) In plain terms, the vulnerable code is a parser: it opens a structured encrypted package and checks the fields inside. Here, OpenSSL examines an optional field without first confirming it exists, so a specially built message can make the program touch invalid memory and stop. (nvd.nist.gov; tenable.com) The immediate exposure is concentrated in software that calls `CMS_decrypt` on untrusted input. NIST names Secure/Multipurpose Internet Mail Extensions processing and other Cryptographic Message Syntax-based protocols as examples, which puts the risk on mail gateways, document-handling services, and backend components that ingest outside cryptographic content. (nvd.nist.gov) OpenSSL’s own vulnerability tracker says versions 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable, while the affected code is outside the Federal Information Processing Standards module boundary. That means some deployments using the FIPS module are not exposed to this specific bug even if they run affected OpenSSL branches. (openssl-library.org; ubuntu.com) Linux distributors started shipping fixes on April 7. Debian said the OpenSSL issues, including CVE‑2026‑28389, were fixed in version 3.0.19-1~deb12u2 for oldstable Bookworm and 3.5.5-1~deb13u2 for stable Trixie, and urged users to upgrade. (lists.debian.org) Ubuntu’s tracker shows the patch status is uneven across packages because OpenSSL is embedded in multiple components. As of the current advisory, Ubuntu lists fixes for some older maintained packages, marks OpenSSL in 22.04 LTS Jammy as “not in release,” and says bundled copies in software such as `edk2` still need evaluation. (ubuntu.com) The spike in coverage also landed during a heavy disclosure week. CISA’s April 13 bulletin says new entries are sorted by Common Vulnerability Scoring System severity and includes a long list of high-severity flaws published during the week of April 6, underscoring how defenders are triaging thousands of fresh records rather than a single bug in isolation. (cisa.gov) That is why CVE‑2026‑28389 drew outsized attention: it affects a core cryptography library, it can be reached over the network in some deployments, and vendors are already pushing package updates instead of treating it as a theoretical edge case. (nvd.nist.gov; lists.debian.org)