Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

NULL Pointer Dereference in OpenSSL Delta CRL Processing

IdentifiersCVE-2026-28388CWE-476· NULL Pointer Dereference

CVE-2026-28388 is a NULL pointer dereference vulnerability in OpenSSL's X.509 certificate verification path when processing delta CRLs. When a delta CRL containing a Delta CRL Indicator extension is processed, OpenSSL fails to verify that the required CRL Number extension is present before dereferencing it. If an attacker supplies a malformed delta CRL in which the CRL Number extension is missing, the affected code can dereference a NULL pointer and crash the application. The issue occurs only when CRL processing and delta CRL processing are enabled during certificate verification. According to the provided advisory text, the vulnerable condition is outside the OpenSSL FIPS module boundary, and the FIPS modules in 3.6, 3.5, 3.4, 3.3, and 3.0 are not affected.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes application termination via NULL pointer dereference, resulting in denial of service. The provided content explicitly states the impact is limited to DoS and cannot be escalated to code execution or memory disclosure. Exposure is most relevant for applications that consume attacker-influenced CRLs during X.509 validation, such as certificate-processing services or PKI-related workflows.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable delta CRL processing where operationally feasible by avoiding use of X509_V_FLAG_USE_DELTAS during certificate verification, and avoid processing untrusted or attacker-supplied CRLs. Restrict CRL sources to trusted channels and validate PKI inputs before they reach vulnerable verification paths. These measures reduce exposure but do not replace upgrading to a fixed version.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release. The provided content states fixes are included in OpenSSL 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, with premium-support fixes also listed for 1.1.1zg and 1.0.2zp. Downstream distributions should consume the corresponding vendor-updated OpenSSL packages.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
alpinelinuxNews
Apr 15, 2026
Alpine Linue stable releases 3.20.10, 3.21.7, 3.22.4, 3.23.4 | Alpine Linux

A specific vulnerability in OpenSSL addressed in Alpine Linux stable releases 3.20.10, 3.21.7, 3.22.4, and 3.23.4.

Read more
help net securityNews
Apr 8, 2026
OpenSSL 3.6.2 lands with eight CVE fixes - Help Net Security

A NULL pointer dereference when processing a delta CRL in OpenSSL.

Read more
cyberthroneNews
Apr 8, 2026
OpenSSL 3.6.2: The Moderate Severity Wave - TheCyberThrone

A NULL pointer dereference in delta CRL processing that can cause denial of service when malformed CRLs are handled.

Read more
openssl libraryNews
Apr 7, 2026
OpenSSL Release Announcement for 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg and 1.0.2zp | OpenSSL Library

NULL pointer dereference when processing a Delta CRL in OpenSSL.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-28388
NVD
nvd.nist.gov/vuln/detail/CVE-2026-28388
MITRE CWE · CWE-476
NULL Pointer Dereference
Patch
github.com/openssl/openssl/commit/59c3b3158553ab53275bbbccca5cb305d591cf2e
Patch
github.com/openssl/openssl/commit/5a0b4930779cd2408880979db765db919da55139
Patch
github.com/openssl/openssl/commit/602542f2c0c2d5edb47128f93eac10b62aeeefb3
Patch
github.com/openssl/openssl/commit/a9d187dd1000130100fa7ab915f8513532cb3bb8
Patch
github.com/openssl/openssl/commit/d3a901e8d9f021f3e67d6cfbc12e768129862726
Vendor Advisory
openssl-library.org/news/secadv/20260407.txt
cert-portal.siemens.com
cert-portal.siemens.com/productcert/html/ssa-032379.html
cert-portal.siemens.com
cert-portal.siemens.com/productcert/html/ssa-265688.html