The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a     NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS     data may crash before authentication or cryptographic operations occur resulting in Denial of Service.
    When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is     processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without     checking for its presence. This results in a NULL pointer dereference if the field is missing.
    Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based     protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,     as the affected code is outside the OpenSSL FIPS module boundary. (CVE-2026-28390)

Note that Nessus relies on the presence of the package as reported by the vendor.

Detections

Analytics

Linux Distros Unpatched Vulnerability : CVE-2026-28390

high Nessus Plugin ID 305224

Version 1.16