A vulnerability labeled as problematic has been found in OpenSSL up to 3.6.1 . Affected is the function CMS_decrypt of the component CMS EnvelopedData Message Handler . Such manipulation leads to null pointer dereference. This vulnerability is traded as CVE-2026-28389 . The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.