CVE-2026-28388

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension<br /> is processed a NULL pointer dereference might happen if the required CRL<br /> Number extension is missing.<br /> <br /> Impact summary: A NULL pointer dereference can trigger a crash which<br /> leads to a Denial of Service for an application.<br /> <br /> When CRL processing and delta CRL processing is enabled during X.509<br /> certificate verification, the delta CRL processing does not check<br /> whether the CRL Number extension is NULL before dereferencing it.<br /> When a malformed delta CRL file is being processed, this parameter<br /> can be NULL, causing a NULL pointer dereference.<br /> <br /> Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in<br /> the verification context, the certificate being verified to contain a<br /> freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and<br /> an attacker to provide a malformed CRL to an application that processes it.<br /> <br /> The vulnerability is limited to Denial of Service and cannot be escalated to<br /> achieve code execution or memory disclosure. For that reason the issue was<br /> assessed as Low severity according to our Security Policy.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the affected code is outside the OpenSSL FIPS module boundary.