PatchSiren cyber security CVE debrief
CVE-2026-28390 Cert Portal CVE debrief
CVE-2026-28390 is a denial-of-service vulnerability in CMS message processing: a crafted CMS EnvelopedData message using KeyTransportRecipientInfo and RSA-OAEP can trigger a NULL pointer dereference when the optional parameters field is missing. The advisory says applications that call CMS_decrypt() on attacker-controlled input may crash before authentication or cryptographic operations complete. CISA’s republished advisory also states the affected code is outside the OpenSSL FIPS module boundary, so the FIPS modules in versions 3.6, 3.5, 3.4, 3.3, and 3.0 are not affected. The vendor remediation in the source corpus is to update to V5.0 or later for the listed Siemens product.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Security teams and operators who run applications, gateways, or services that process untrusted CMS/S-MIME data; defenders responsible for Siemens advisory intake; and teams that embed CMS_decrypt()-style workflows in exposed services.
Technical summary
The issue is a NULL pointer dereference during CMS EnvelopedData processing when KeyTransportRecipientInfo is used with RSA-OAEP encryption and the optional parameters field of the RSA-OAEP algorithm identifier is not present. Because the faulty path is reachable through attacker-controlled CMS data, the result is a crash/DoS rather than a confidentiality or integrity break. The source corpus gives a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 HIGH).
Defensive priority
High. Prioritize if your environment accepts CMS or S/MIME content from untrusted sources or exposes CMS_decrypt() functionality over a network or through semi-trusted workflows. Availability impact can be immediate and requires only crafted input.
Recommended defensive actions
- Apply the vendor fix: update to V5.0 or later for the affected Siemens product listed in the advisory.
- Inventory any services or applications that process CMS EnvelopedData, S/MIME, or other CMS-based protocols from untrusted sources.
- Treat malformed or attacker-controlled CMS inputs as untrusted and place parsing paths behind strict input validation and layered isolation where possible.
- Verify whether your deployment uses only the unaffected OpenSSL FIPS module boundary components; the advisory states the FIPS modules listed are not affected.
- Monitor for crashes or abnormal terminations in CMS-processing components and add alerting around repeated parse failures.
Evidence notes
All claims above are drawn from the provided CISA CSAF source item and its referenced Siemens/CISA advisory material. The source item identifies CVE-2026-28390, describes the NULL pointer dereference condition, states the DoS impact, notes that the affected code is outside the OpenSSL FIPS module boundary, and lists the remediation to update to V5.0 or later. Published and modified timing used here comes from the supplied CVE and source timeline fields (published 2026-05-12; modified 2026-05-14).
Official resources
-
CVE-2026-28390 CVE record
CVE.org
-
CVE-2026-28390 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory disclosed in the supplied corpus on 2026-05-12 and republished/updated on 2026-05-14. No CISA KEV entry was provided.