Vulnerability DatabaseCVE-2026-28386

CVE-2026-28386:
OpenSSL vulnerability analysis and mitigation

Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks.

Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not written to output.

The vulnerable code path is only reached when processing partial blocks (when a previous call left an incomplete block and the current call provides fewer bytes than needed to complete it). Additionally, the input buffer must be positioned at a page boundary with the following page unmapped. CFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or ChaCha20-Poly1305 instead. For these reasons the issue was assessed as Low severity according to our Security Policy.

Only x86-64 systems with AVX-512 and VAES instruction support are affected. Other architectures and systems without VAES support use different code paths that are not affected.

OpenSSL FIPS module in 3.6 version is affected by this issue.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

9.1

Score

Published April 7, 2026

Severity CRITICAL

CNA Score 9.1

Affected Technologies

OpenSSL
Linux Debian

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 20.5

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

seal-openssl
AAVMF

Sources

NVD
Chainguard
- Chainguard No FixAdded at: Apr 09, 2026
Debian Security Tracker
- Debian 14 Severity CRITICALNo FixAdded at: Apr 09, 2026
Red Hat Errata
- Red Hat 6, 7, 8, 9, 10 Severity LOWNo FixAdded at: Apr 12, 2026
Seal Security
- Debian Severity CRITICALHas FixAdded at: Apr 09, 2026
- Red Hat 6, 7, 9 Severity CRITICALHas FixAdded at: Apr 12, 2026
VulnCheck NVD++
- Linux Severity CRITICALHas FixAdded at: Apr 09, 2026
- Windows Severity CRITICALHas FixAdded at: Apr 09, 2026
Wolfi
- Wolfi No FixAdded at: Apr 09, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related OpenSSL vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-31790	HIGH	7.5	OpenSSL	edk2-ovmf	No	Yes	Apr 07, 2026
CVE-2026-28390	HIGH	7.5	OpenSSL	samba-winbind-clients	No	Yes	Apr 07, 2026
CVE-2026-28389	HIGH	7.5	OpenSSL	openssl-perl	No	Yes	Apr 07, 2026
CVE-2026-28388	HIGH	7.5	OpenSSL	edk2	No	Yes	Apr 07, 2026
CVE-2026-31789	HIGH	7.3	OpenSSL	libopenssl-3-devel-32bit	No	Yes	Apr 07, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2026-28386: OpenSSL vulnerability analysis and mitigation