A vulnerability marked as problematic has been reported in OpenSSL up to 3.6.1 . Affected by this vulnerability is the function CMS_decrypt of the component CMS KeyTransportRecipientInfo Handler . Performing a manipulation results in null pointer dereference. This vulnerability is known as CVE-2026-28390 . Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.