{"dataType": "CVE_RECORD", "containers": {"adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Low\"}"}}}], "affected": [{"vendor": "redhat", "product": "mokutil", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-devel", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-perl", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-libs", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-aarch64", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-ovmf", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-aa64", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-unsigned-x64", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-x64", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-tools", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-tools-doc", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-unsigned-aarch64", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-28386"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451099"}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28386"}, {"url": "https://openssl-library.org/news/secadv/20260407.txt"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "A flaw was found in openssl. Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support may experience a Denial of Service (DoS). This occurs when processing partial cipher blocks, specifically if the input buffer ends at a memory page boundary and the subsequent page is unmapped. This can lead to an out-of-bounds read of up to 15 bytes and a potential application crash."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-07T00:00:00Z", "x_subShortName": "redhat_10"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Low\"}"}}}], "affected": [{"vendor": "redhat", "product": "openssl", "platforms": ["cpe:/o:redhat:enterprise_linux:6"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-devel", "platforms": ["cpe:/o:redhat:enterprise_linux:6"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-perl", "platforms": ["cpe:/o:redhat:enterprise_linux:6"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-static", "platforms": ["cpe:/o:redhat:enterprise_linux:6"], "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "A flaw was found in openssl. Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support may experience a Denial of Service (DoS). This occurs when processing partial cipher blocks, specifically if the input buffer ends at a memory page boundary and the subsequent page is unmapped. This can lead to an out-of-bounds read of up to 15 bytes and a potential application crash. \n            This vulnerability has a Low impact on Red Hat products. It affects applications utilizing AES-CFB128 encryption or decryption on systems equipped with AVX-512 and VAES, potentially leading to a Denial of Service due to an out-of-bounds read when processing partial cipher blocks under specific memory conditions. The CFB mode is not employed in widely used protocols such as TLS/DTLS, which limits the applicability of this flaw.\n            Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-07T00:00:00Z", "x_subShortName": "redhat_6"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Low\"}"}}}], "affected": [{"vendor": "redhat", "product": "AAVMF", "platforms": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "OVMF", "platforms": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl", "platforms": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-devel", "platforms": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-libs", "platforms": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-perl", "platforms": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-static", "platforms": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "ovmf", "platforms": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "A flaw was found in openssl. Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support may experience a Denial of Service (DoS). This occurs when processing partial cipher blocks, specifically if the input buffer ends at a memory page boundary and the subsequent page is unmapped. This can lead to an out-of-bounds read of up to 15 bytes and a potential application crash. \n            This vulnerability has a Low impact on Red Hat products. It affects applications utilizing AES-CFB128 encryption or decryption on systems equipped with AVX-512 and VAES, potentially leading to a Denial of Service due to an out-of-bounds read when processing partial cipher blocks under specific memory conditions. The CFB mode is not employed in widely used protocols such as TLS/DTLS, which limits the applicability of this flaw.\n            Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-07T00:00:00Z", "x_subShortName": "redhat_7"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Low\"}"}}}], "affected": [{"vendor": "redhat", "product": "compat-openssl10", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-aarch64", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-ovmf", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "mingw32-openssl", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "mingw64-openssl", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-devel", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-libs", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-perl", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-static", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-aa64", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-ia32", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-unsigned-x64", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-x64", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "A flaw was found in openssl. Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support may experience a Denial of Service (DoS). This occurs when processing partial cipher blocks, specifically if the input buffer ends at a memory page boundary and the subsequent page is unmapped. This can lead to an out-of-bounds read of up to 15 bytes and a potential application crash. \n            This vulnerability has a Low impact on Red Hat products. It affects applications utilizing AES-CFB128 encryption or decryption on systems equipped with AVX-512 and VAES, potentially leading to a Denial of Service due to an out-of-bounds read when processing partial cipher blocks under specific memory conditions. The CFB mode is not employed in widely used protocols such as TLS/DTLS, which limits the applicability of this flaw.\n            Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-07T00:00:00Z", "x_subShortName": "redhat_8"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Low\"}"}}}], "affected": [{"vendor": "redhat", "product": "compat-openssl11", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-aarch64", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-ovmf", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-tools", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "edk2-tools-doc", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-devel", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-libs", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "openssl-perl", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-aa64", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-unsigned-aarch64", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-unsigned-x64", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}, {"vendor": "redhat", "product": "shim-x64", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "A flaw was found in openssl. Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support may experience a Denial of Service (DoS). This occurs when processing partial cipher blocks, specifically if the input buffer ends at a memory page boundary and the subsequent page is unmapped. This can lead to an out-of-bounds read of up to 15 bytes and a potential application crash. \n            This vulnerability has a Low impact on Red Hat products. It affects applications utilizing AES-CFB128 encryption or decryption on systems equipped with AVX-512 and VAES, potentially leading to a Denial of Service due to an out-of-bounds read when processing partial cipher blocks under specific memory conditions. The CFB mode is not employed in widely used protocols such as TLS/DTLS, which limits the applicability of this flaw.\n            Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-07T00:00:00Z", "x_subShortName": "redhat_9"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Moderate\"}"}}}], "affected": [{"vendor": "suse", "product": "libopenssl1_1", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_1-32bit", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-devel", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-3-devel", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl3", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-3", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-1_1-devel", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-development-tools:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-1_0_0-devel", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-legacy:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_0_0", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-legacy:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-1_0_0", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-legacy:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-1_1", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-legacy:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl10", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-legacy:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_0_0-hmac", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-legacy:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_1-hmac", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_1-hmac-32bit", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp2", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles-ltss:15:sp5", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp2", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles:15:sp5", "cpe:/o:suse:sles_sap:15:sp4", "cpe:/o:suse:sles_sap:15:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-1_1-devel-32bit", "platforms": ["cpe:/o:suse:oes-release:23.4", "cpe:/o:suse:oes-release:24.4", "cpe:/o:suse:sles-ltss:15:sp1", "cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles-ltss:15:sp4", "cpe:/o:suse:sles:15:sp1", "cpe:/o:suse:sles:15:sp3", "cpe:/o:suse:sles:15:sp4", "cpe:/o:suse:sles_sap:15:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-3-fips-provider", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-3-fips-provider-32bit", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-fips-provider", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl3-32bit", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles-ltss:15:sp6", "cpe:/o:suse:sles:15:sp6", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp6", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-1_1-doc", "platforms": ["cpe:/o:suse:sles-ltss:15:sp3", "cpe:/o:suse:sles:15:sp3"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "SUSE bug 1260440"}], "references": [{"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28386", "name": "Mitre CVE-2026-28386"}, {"url": "https://www.suse.com/security/cve/CVE-2026-28386", "name": "SUSE CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "\n    Issue summary: Applications using AES-CFB128 encryption or decryption on\nsystems with AVX-512 and VAES support can trigger an out-of-bounds read\nof up to 15 bytes when processing partial cipher blocks.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not written to output.\n\nThe vulnerable code path is only reached when processing partial blocks\n(when a previous call left an incomplete block and the current call provides\nfewer bytes than needed to complete it). Additionally, the input buffer\nmust be positioned at a page boundary with the following page unmapped.\nCFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or\nChaCha20-Poly1305 instead. For these reasons the issue was assessed as\nLow severity according to our Security Policy.\n\nOnly x86-64 systems with AVX-512 and VAES instruction support are affected.\nOther architectures and systems without VAES support use different code\npaths that are not affected.\n\nOpenSSL FIPS module in 3.6 version is affected by this issue.\n    "}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-04-08T00:00:00Z", "x_subShortName": "suse_server_15"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Moderate\"}"}}}], "affected": [{"vendor": "suse", "product": "libopenssl-3-devel", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-3-fips-provider", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-3-fips-provider-32bit", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-devel", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-fips-provider", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_1", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_1-32bit", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl3", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl3-32bit", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-3", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-basesystem:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-1_1-devel", "platforms": ["cpe:/o:suse:oes-release:25.4", "cpe:/o:suse:sle-module-development-tools:15:sp7", "cpe:/o:suse:sle_hpc:15:sp7", "cpe:/o:suse:sled:15:sp7", "cpe:/o:suse:sles:15:sp7", "cpe:/o:suse:sles_sap:15:sp7"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "SUSE bug 1260440"}], "references": [{"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28386", "name": "Mitre CVE-2026-28386"}, {"url": "https://www.suse.com/security/cve/CVE-2026-28386", "name": "SUSE CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "\n    Issue summary: Applications using AES-CFB128 encryption or decryption on\nsystems with AVX-512 and VAES support can trigger an out-of-bounds read\nof up to 15 bytes when processing partial cipher blocks.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not written to output.\n\nThe vulnerable code path is only reached when processing partial blocks\n(when a previous call left an incomplete block and the current call provides\nfewer bytes than needed to complete it). Additionally, the input buffer\nmust be positioned at a page boundary with the following page unmapped.\nCFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or\nChaCha20-Poly1305 instead. For these reasons the issue was assessed as\nLow severity according to our Security Policy.\n\nOnly x86-64 systems with AVX-512 and VAES instruction support are affected.\nOther architectures and systems without VAES support use different code\npaths that are not affected.\n\nOpenSSL FIPS module in 3.6 version is affected by this issue.\n    "}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-04-08T00:00:00Z", "x_subShortName": "suse_desktop_15"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Moderate\"}"}}}], "affected": [{"vendor": "suse", "product": "libopenssl0_9_8", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl0_9_8-32bit", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl0_9_8-hmac", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl0_9_8-hmac-32bit", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1-devel", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_0_0", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_0_0-32bit", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-doc", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl1", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl1-doc", "platforms": ["cpe:/o:suse:sles:11:sp4"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "SUSE bug 1260440"}], "references": [{"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28386", "name": "Mitre CVE-2026-28386"}, {"url": "https://www.suse.com/security/cve/CVE-2026-28386", "name": "SUSE CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "\n    Issue summary: Applications using AES-CFB128 encryption or decryption on\nsystems with AVX-512 and VAES support can trigger an out-of-bounds read\nof up to 15 bytes when processing partial cipher blocks.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not written to output.\n\nThe vulnerable code path is only reached when processing partial blocks\n(when a previous call left an incomplete block and the current call provides\nfewer bytes than needed to complete it). Additionally, the input buffer\nmust be positioned at a page boundary with the following page unmapped.\nCFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or\nChaCha20-Poly1305 instead. For these reasons the issue was assessed as\nLow severity according to our Security Policy.\n\nOnly x86-64 systems with AVX-512 and VAES instruction support are affected.\nOther architectures and systems without VAES support use different code\npaths that are not affected.\n\nOpenSSL FIPS module in 3.6 version is affected by this issue.\n    "}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-04-08T00:00:00Z", "x_subShortName": "suse_server_11"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Moderate\"}"}}}], "affected": [{"vendor": "suse", "product": "openssl-doc", "platforms": ["cpe:/o:suse:sles:12:sp2"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-devel", "platforms": ["cpe:/o:suse:sles:12:sp2", "cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_0_0", "platforms": ["cpe:/o:suse:sles:12:sp2", "cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_0_0-32bit", "platforms": ["cpe:/o:suse:sles:12:sp2", "cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_0_0-hmac", "platforms": ["cpe:/o:suse:sles:12:sp2", "cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_0_0-hmac-32bit", "platforms": ["cpe:/o:suse:sles:12:sp2", "cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl", "platforms": ["cpe:/o:suse:sles:12:sp2", "cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-1_0_0-devel", "platforms": ["cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_1", "platforms": ["cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_1-32bit", "platforms": ["cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_1-hmac", "platforms": ["cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl1_1-hmac-32bit", "platforms": ["cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-1_0_0", "platforms": ["cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-1_0_0-doc", "platforms": ["cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-1_1", "platforms": ["cpe:/o:suse:sles:12:sp4", "cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-1_0_0-devel-32bit", "platforms": ["cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-1_1-devel", "platforms": ["cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-1_1-devel-32bit", "platforms": ["cpe:/o:suse:sles:12:sp5"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl0_9_8", "platforms": ["cpe:/o:suse:sles_sap:12:sp5"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "SUSE bug 1260440"}], "references": [{"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28386", "name": "Mitre CVE-2026-28386"}, {"url": "https://www.suse.com/security/cve/CVE-2026-28386", "name": "SUSE CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "\n    Issue summary: Applications using AES-CFB128 encryption or decryption on\nsystems with AVX-512 and VAES support can trigger an out-of-bounds read\nof up to 15 bytes when processing partial cipher blocks.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not written to output.\n\nThe vulnerable code path is only reached when processing partial blocks\n(when a previous call left an incomplete block and the current call provides\nfewer bytes than needed to complete it). Additionally, the input buffer\nmust be positioned at a page boundary with the following page unmapped.\nCFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or\nChaCha20-Poly1305 instead. For these reasons the issue was assessed as\nLow severity according to our Security Policy.\n\nOnly x86-64 systems with AVX-512 and VAES instruction support are affected.\nOther architectures and systems without VAES support use different code\npaths that are not affected.\n\nOpenSSL FIPS module in 3.6 version is affected by this issue.\n    "}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-04-08T00:00:00Z", "x_subShortName": "suse_server_12"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Moderate\"}"}}}], "affected": [{"vendor": "suse", "product": "libopenssl-3-devel", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-3-fips-provider", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-3-fips-provider-x86-64-v3", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-devel", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl-fips-provider", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl3", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "libopenssl3-x86-64-v3", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-3", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}, {"vendor": "suse", "product": "openssl-3-doc", "platforms": ["cpe:/o:suse:sles:16.0", "cpe:/o:suse:sles_sap:16.0"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "SUSE bug 1260440"}], "references": [{"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-28386", "name": "Mitre CVE-2026-28386"}, {"url": "https://www.suse.com/security/cve/CVE-2026-28386", "name": "SUSE CVE-2026-28386"}], "descriptions": [{"lang": "en", "value": "\n    Issue summary: Applications using AES-CFB128 encryption or decryption on\nsystems with AVX-512 and VAES support can trigger an out-of-bounds read\nof up to 15 bytes when processing partial cipher blocks.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not written to output.\n\nThe vulnerable code path is only reached when processing partial blocks\n(when a previous call left an incomplete block and the current call provides\nfewer bytes than needed to complete it). Additionally, the input buffer\nmust be positioned at a page boundary with the following page unmapped.\nCFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or\nChaCha20-Poly1305 instead. For these reasons the issue was assessed as\nLow severity according to our Security Policy.\n\nOnly x86-64 systems with AVX-512 and VAES instruction support are affected.\nOther architectures and systems without VAES support use different code\npaths that are not affected.\n\nOpenSSL FIPS module in 3.6 version is affected by this issue.\n    "}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-04-08T00:00:00Z", "x_subShortName": "suse_server_16"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "unknown", "product": "unknown", "defaultStatus": "unknown"}], "references": [{"url": "https://github.com/openssl/openssl/commit/61f428a2fc6671ede184a19f71e6e495f0689621"}, {"url": "https://openssl-library.org/news/secadv/20260407.txt"}], "descriptions": [{"lang": "en", "value": "Issue summary: Applications using AES-CFB128 encryption or decryption on\nsystems with AVX-512 and VAES support can trigger an out-of-bounds read\nof up to 15 bytes when processing partial cipher blocks.\n\nImpact summary: This out-of-bounds read may trigger a crash which leads to\nDenial of Service for an application if the input buffer ends at a memory\npage boundary and the following page is unmapped. There is no information\ndisclosure as the over-read bytes are not written to output.\n\nThe vulnerable code path is only reached when processing partial blocks\n(when a previous call left an incomplete block and the current call provides\nfewer bytes than needed to complete it). Additionally, the input buffer\nmust be positioned at a page boundary with the following page unmapped.\nCFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or\nChaCha20-Poly1305 instead. For these reasons the issue was assessed as\nLow severity according to our Security Policy.\n\nOnly x86-64 systems with AVX-512 and VAES instruction support are affected.\nOther architectures and systems without VAES support use different code\npaths that are not affected.\n\nOpenSSL FIPS module in 3.6 version is affected by this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-A000-000000000003", "shortName": "DISCARDED_CNA", "dateUpdated": "2026-04-07T22:16:20Z", "x_subShortName": "nvd"}}}, "cveMetadata": {"cveId": "CVE-2026-28386", "state": "PUBLISHED", "dateUpdated": "2026-04-10T21:16:22Z", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "datePublished": "2026-04-07T22:16:20Z", "assignerShortName": "openssl"}, "dataVersion": "5.0"}