Main Vulnerability Database Vulnerabilities #VU125563

#VU125563 Out-of-bounds read in OpenSSL - CVE-2026-28386

Published: April 9, 2026

Vulnerability identifier: #VU125563

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-28386

CWE-ID: CWE-125

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenSSL

Software vendor:
OpenSSL Software Foundation

Description

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in AES-CFB-128 processing when handling partial cipher blocks on x86-64 systems with AVX-512 and VAES support. A local user can trigger processing of crafted input at a page boundary to cause a denial of service.

Only x86-64 systems with AVX-512 and VAES support are affected, and the issue is reached only when processing partial blocks with the following memory page unmapped.

Remediation

Install security update from vendor's website.

External links

https://openssl-library.org/news/secadv/20260407.txt

#VU125563 Out-of-bounds read in OpenSSL - CVE-2026-28386

Description

Remediation

External links

Please verify you're human