Commit d6ad8595e8 for openssl.org
commit d6ad8595e86dc96ca8771f0a1714b31794befa75
Author: Daniel Kubec <kubec@openssl.org>
Date: Tue Mar 17 11:11:22 2026 +0100
Fix NULL Dereference When Delta CRL Lacks CRL Number Extension
Fixes CVE-2026-28388
Co-authored-by: Igor Morgenstern <igor.morgenstern@aisle.com>
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr 6 19:27:16 2026
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 4acf1c9e77..d1848142b8 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1620,6 +1620,8 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
return 0;
/* Delta CRL number must exceed full CRL number */
+ if (delta->crl_number == NULL)
+ return 0;
return ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0;
}