Fix NULL Dereference When Delta CRL Lacks CRL Number Extension

Fixes CVE-2026-28388

Co-authored-by: Igor Morgenstern <igor.morgenstern@aisle.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr  6 19:27:16 2026
(cherry picked from commit d6ad8595e86dc96ca8771f0a1714b31794befa75)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ad59ed572bebc57ebc1cb3ea61787f166e292ab6..3bc755bd7e2aed9d6b11df25275dd4578fede285 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1617,6 +1617,8 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
     if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
         return 0;
     /* Delta CRL number must exceed full CRL number */
+    if (delta->crl_number == NULL)
+        return 0;
     return ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0;
 }