Skip to content
Threat Feed
medium advisory

CVE-2026-28390 NULL Dereference in CMS KeyTransportRecipientInfo Processing

CVE-2026-28390 is a vulnerability related to a possible NULL pointer dereference when processing CMS KeyTransportRecipientInfo, potentially leading to a denial-of-service condition.

CVE-2026-28390 describes a potential NULL pointer dereference vulnerability that occurs while processing CMS KeyTransportRecipientInfo. The vulnerability, disclosed by Microsoft on April 29, 2026, could be exploited by a remote attacker to cause a denial-of-service condition. While the specific exploitation details are not provided, the vulnerability lies within the handling of CMS (Cryptographic Message Syntax) structures, specifically related to key transport recipients. This type of vulnerability can be triggered if the code attempts to access a memory location pointed to by a NULL pointer, leading to a crash.

Attack Chain

  1. Attacker crafts a malicious CMS message containing a KeyTransportRecipientInfo structure.
  2. The crafted CMS message is sent to a vulnerable application or service.
  3. The application attempts to process the KeyTransportRecipientInfo structure.
  4. Due to a flaw in the processing logic, a NULL pointer is encountered.
  5. The application attempts to dereference the NULL pointer, trying to read or write to the invalid memory address.
  6. This dereference operation results in a crash, causing a denial-of-service.
  7. Repeated exploitation could lead to prolonged unavailability of the affected service.

Impact

A successful exploitation of CVE-2026-28390 could lead to a denial-of-service condition. The number of potential victims and specific targeted sectors are not disclosed in the provided information. However, any application or service that processes CMS messages with KeyTransportRecipientInfo is potentially vulnerable. Successful exploitation would result in the affected service becoming unavailable.

Recommendation

  • Monitor for any abnormal process crashes in services processing CMS messages, using process monitoring tools (process_creation).
  • Implement the official patch released by Microsoft for CVE-2026-28390 as soon as it becomes available.
  • Inspect network traffic for malformed CMS messages being transmitted to internal services.

Detection coverage 2

Detect Process Crashes Potentially Related to CMS Processing

medium

Detects process crashes that may be related to a NULL pointer dereference when processing CMS messages.

sigma tactics: availability sources: process_creation, windows

Detect Suspicious Processes Handling CMS Messages

low

Detects processes that handle CMS messages, which may be an indicator of potential exploitation attempts targeting CVE-2026-28390.

sigma tactics: discovery sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →