openssl-1.1.1k-17.el8_6
エラータID: AXSA:2026-1267:12
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
* openssl: OpenSSL: Denial of Service due to NULL pointer dereference in CMS EnvelopedData processing (CVE-2026-28390)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-28390
Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Update packages.
Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
N/A
SRPMS
- openssl-1.1.1k-17.el8_6.src.rpm
MD5: d58ca7d4a720bede0f007ec951e51933
SHA-256: 17c0cb4183c65306d1c7d0a1b70f54b5c0ff3f50d10f8a0fbb950013011e6650
Size: 7.40 MB
Asianux Server 8 for x86_64
- openssl-1.1.1k-17.el8_6.x86_64.rpm
MD5: 96f2384b6c2d6764e642854b5b71a49e
SHA-256: d45ecb9ce5827510608fa1a684c987ab664941304e4ac32f9317dbf17695a550
Size: 710.74 kB - openssl-devel-1.1.1k-17.el8_6.i686.rpm
MD5: c5c6b6e4408eb3c529e634c92cc73705
SHA-256: abd14cb259989371a31ac16643f9de5d4141d7263611babd57bbf784291b6691
Size: 2.33 MB - openssl-devel-1.1.1k-17.el8_6.x86_64.rpm
MD5: 5e88160fcaea1dc3ed70b05643801761
SHA-256: b8628ee9c55d76fa99284e58eb48c3dea4da9c420c04148a4f6034fc6f0c70e9
Size: 2.33 MB - openssl-libs-1.1.1k-17.el8_6.i686.rpm
MD5: 5ade4912ae8cca0761ef79d2f3af18f7
SHA-256: 94594e96be5e74873e24dd598aea3c1430adf402cd7fd07ee7db7307e1bd7b64
Size: 1.48 MB - openssl-libs-1.1.1k-17.el8_6.x86_64.rpm
MD5: 00e69c168caed9c0f1847f3646e3ac42
SHA-256: 73c7ae0120a2d8af4f4ec34d1046692f420e42d0c0201c17e6552557bbe6a504
Size: 1.47 MB - openssl-perl-1.1.1k-17.el8_6.x86_64.rpm
MD5: cb151d134bd0b693dce0d7ebe0704a8b
SHA-256: 5e078582fd25575bd0d125e186426ea825d3310820b8741ef1f8aa9107daf3d9
Size: 83.35 kB