From: Daniel Kubec <kubec@openssl.org>
Date: Tue, 17 Mar 2026 10:11:22 +0000 (+0100)
Subject: Fix NULL Dereference When Delta CRL Lacks CRL Number Extension
X-Git-Tag: openssl-4.0.0~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab33402a3f9a41ded52d703d2fdd6ddc64157d07;p=thirdparty%2Fopenssl.git

Fix NULL Dereference When Delta CRL Lacks CRL Number Extension

Fixes CVE-2026-28388

Co-authored-by: Igor Morgenstern <igor.morgenstern@aisle.com>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Apr  6 19:27:16 2026
(cherry picked from commit d6ad8595e86dc96ca8771f0a1714b31794befa75)
---

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ad59ed572be..3bc755bd7e2 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1617,6 +1617,8 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
     if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
         return 0;
     /* Delta CRL number must exceed full CRL number */
+    if (delta->crl_number == NULL)
+        return 0;
     return ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0;
 }