PatchSiren cyber security CVE debrief
CVE-2026-28388 Cert Portal CVE debrief
CVE-2026-28388 is a denial-of-service flaw in Siemens SIMATIC CN 4100 versions before 5.0. If X.509 verification is configured to use delta CRLs, a malformed delta CRL missing the required CRL Number extension can trigger a NULL pointer dereference and crash the application.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and integrators running Siemens SIMATIC CN 4100 version <5.0, especially where X.509 certificate verification uses CRL processing with X509_V_FLAG_USE_DELTAS or accepts externally supplied CRLs.
Technical summary
According to the Siemens/CISA advisory, delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. An attacker who can supply a malformed CRL can cause a NULL pointer dereference when the verification context enables X509_V_FLAG_USE_DELTAS and the certificate or base CRL triggers freshestCRL/delta CRL handling. The documented impact is a crash and denial of service; the source states it cannot be escalated to code execution or memory disclosure.
Defensive priority
Medium. The issue is limited to availability impact and requires specific verification settings plus attacker-controlled malformed CRL input, but it can still crash affected applications.
Recommended defensive actions
- Update Siemens SIMATIC CN 4100 to V5.0 or later, per vendor remediation guidance.
- Review any certificate-validation paths that enable delta CRL processing and confirm whether X509_V_FLAG_USE_DELTAS is necessary.
- Treat external CRLs as untrusted input and validate that CRL Number / delta CRL fields are present before processing.
- If operationally feasible, reduce or remove reliance on delta CRL processing in affected environments.
- Monitor Siemens ProductCERT and CISA advisory guidance for deployment-specific mitigation updates.
Evidence notes
The source advisory says the issue occurs when a delta CRL with a Delta CRL Indicator extension is processed and the required CRL Number extension is missing, leading to a NULL pointer dereference and denial of service. It further states exploitation requires X509_V_FLAG_USE_DELTAS, freshestCRL/EXFLAG_FRESHEST conditions, and attacker-supplied malformed CRL input. The advisory lists remediation as updating to V5.0 or later and notes that the FIPS modules in 3.6, 3.5, 3.4, 3.3, and 3.0 are not affected because the code is outside the module boundary.
Official resources
-
CVE-2026-28388 CVE record
CVE.org
-
CVE-2026-28388 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA ICS Advisory ICSA-26-134-10 on 2026-05-12, with a CISA republication update on 2026-05-14 reflecting Siemens ProductCERT advisory SSA-032379. No KEV listing was provided in the source corpus.