HIGH 7.5

CVE-2026-34180: OpenSSL ASN.1 Decoder Integer Truncation Vulnerability

OpenSSL contains a flaw in how it processes certain encoded certificate and data structures (ASN.1 format) that can cause applications to crash or read memory they shouldn't access. The vulnerability is triggered when an attacker crafts a specially formatted file with an unusually large size declaration—over 2 gigabytes—which confuses OpenSSL's decoder into reading beyond safe memory boundaries. This primarily affects server applications and services running on 64-bit Unix systems that directly process untrusted certificate or cryptographic data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-125
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-34180 is an integer truncation vulnerability in OpenSSL's ASN.1 decoder affecting 64-bit Unix and Unix-like platforms. When parsing a DER-encoded ASN.1 primitive element with a declared content length exceeding 2 GB, an integer truncation causes the length value to be mishandled. The resulting truncated length may be treated as a directive to scan for a terminating zero byte, leading to heap buffer over-read conditions. The vulnerability resides outside the FIPS module boundary, meaning FIPS-validated deployments in OpenSSL 3.0, 3.4, 3.5, 3.6, and 4.0 are not affected. Functions such as d2i_X509(), d2i_PKCS7(), and related d2i_* decoders are affected when processing attacker-controlled input.

Business impact

For organizations running OpenSSL-based services, this vulnerability creates a denial-of-service (DoS) attack vector and a potential information disclosure risk. An attacker can craft a malicious certificate or serialized cryptographic structure and send it to any service that validates or parses certificates directly—including TLS implementations, VPN gateways, email servers, and custom authentication systems. Exploitation could cause service crashes, disrupting availability. The memory-read component means sensitive data (keys, tokens, configuration) resident in heap memory could potentially be exposed, though such exposure depends on the specific application context. The requirement for attacker-supplied data to reach the decoder (not filtered by BIO layer abstractions) means custom applications are at higher risk than those using standard OpenSSL command-line tools.

Affected systems

OpenSSL versions with the vulnerable ASN.1 decoder are affected. The vulnerability is specific to 64-bit Unix and Unix-like operating systems (Linux, BSD, macOS); 32-bit platforms and 64-bit Windows are not affected. Any application embedding OpenSSL that parses untrusted DER-encoded ASN.1 structures—particularly X.509 certificates or PKCS#7 messages—is at risk. FIPS-validated modules (versions 3.0, 3.4, 3.5, 3.6, 4.0) are explicitly out of scope for this issue. Non-FIPS OpenSSL deployments require immediate patching. Verify your specific OpenSSL version and whether the application directly invokes d2i_* functions against external input.

Exploitability

The vulnerability has low barriers to exploitation. An attacker needs only to craft a malicious DER-encoded file or structure and transmit it to a vulnerable service—no authentication, user interaction, or special privileges are required. The network-accessible nature (CVSS vector AV:N) and lack of complexity (AC:L) make it straightforward for remote exploitation. However, practical impact depends on service behavior: a crash (DoS) is easily achieved; information disclosure via memory read is possible but may require application-specific knowledge. The requirement that the attacker-supplied data bypass the BIO layer and reach the decoder directly provides a marginal defense in standard usage scenarios, but many custom implementations and direct file-parsing workflows do not employ this protection.

Remediation

Apply the security patch provided by OpenSSL as soon as practicable. Verify the patch against your OpenSSL version branch (consult the official OpenSSL advisory for version-specific guidance). For systems that cannot be patched immediately, implement network-level controls to restrict which clients can submit certificate data or ASN.1-encoded structures to your services. Where possible, deploy OpenSSL in FIPS mode (versions 3.0+) which is not affected. Consider leveraging certificate pinning and strict certificate validation policies to reduce exposure. Audit applications that directly call d2i_* functions and prioritize patching those first.

Patch guidance

Consult the official OpenSSL advisory for the specific patched version targeting your deployment branch. Patches typically follow the OpenSSL versioning convention (e.g., 3.x.x, 1.1.1w) and are released concurrently across supported branches. Apply patches to all systems running OpenSSL libraries, not just the primary server package—many third-party libraries and language runtimes bundle OpenSSL, so comprehensive inventory is essential. Test the patch in a staging environment first, particularly if you rely on FIPS certification, to ensure compliance is maintained. Plan for service restarts, as many processes require binary reloads to use the patched library.

Detection guidance

Monitor application logs for unexpected crashes, segmentation faults, or memory-related errors in OpenSSL calls, particularly during certificate validation or ASN.1 parsing. Intrusion detection systems can be configured to flag abnormally large ASN.1 length declarations in network traffic (look for DER-encoded structures with length fields suggesting multi-gigabyte content). File integrity monitoring on configuration and certificate repositories may detect unauthorized injection of crafted structures. Correlate crashes with network ingress points where certificates or serialized data are received. Enable verbose OpenSSL logging in development or staging to observe parsing failures; this baseline helps identify anomalous behavior in production. Note that successful memory disclosure may not produce obvious signals, so rely on general anomaly detection (unusual memory access patterns, heap corruption indicators) as secondary indicators.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score (7.5), network-exploitable attack vector, and broad applicability across Unix-based infrastructure. The denial-of-service component alone justifies rapid patching given the low exploitation barrier. Organizations running custom certificate validators, API gateways, or any service that processes untrusted X.509 or PKCS#7 data should prioritize this in their patch cycle. The fact that FIPS modules are excluded provides a targeted mitigation for some regulated environments but does not excuse delay for non-FIPS deployments. The potential for memory disclosure elevates the risk beyond simple DoS and warrants treatment as a critical control measure.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible vulnerability (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and causing severe impact on availability (A:H). Confidentiality and integrity scores are none (C:N, I:N), though the over-read condition theoretically permits memory disclosure, the primary impact is availability. The score is elevated by the ease of triggering a crash through a crafted input. The lack of current KEV listing does not diminish priority; it reflects the recent disclosure window. Organizational risk is heightened if you operate internet-facing services processing certificates, operate in regulated sectors requiring strong availability posture, or run non-FIPS OpenSSL versions.

Frequently asked questions

Does this affect my organization if we use OpenSSL's command-line tools (openssl verify, openssl s_server)?

No. OpenSSL's own command-line tools are explicitly not vulnerable because they process data through the BIO (Basic I/O) abstraction layer, which performs input validation before the data reaches the vulnerable decoder. The vulnerability only impacts applications that directly invoke d2i_* functions with untrusted input, or applications that have disabled BIO-level validation.

Are we protected if we run OpenSSL in FIPS mode?

Yes, if your deployment uses FIPS-validated modules in OpenSSL 3.0, 3.4, 3.5, 3.6, or 4.0, the vulnerable code is outside the FIPS module boundary and is not active. However, verify your exact configuration with your OpenSSL vendor, and note that non-FIPS standard mode is still vulnerable even in these versions.

Can an attacker exploit this to steal cryptographic keys or secrets?

The vulnerability allows a heap buffer over-read, which means OpenSSL may read memory beyond the input buffer. In theory, sensitive data resident in nearby heap memory (such as decrypted private key material or authentication tokens) could be exposed. However, practical exploitation depends on memory layout, application behavior, and what data happens to be adjacent in the heap. Denial-of-service via crash is the more straightforward attack. Treat the information disclosure risk as a secondary concern but reason enough to patch promptly.

Which platforms are actually affected?

Only 64-bit Unix and Unix-like operating systems (Linux, BSD, macOS, etc.) are affected. 32-bit systems are not affected due to differences in integer representation, and 64-bit Windows is not affected. Verify your deployment platform before assessing risk.

This analysis is provided for informational purposes and represents a point-in-time assessment based on the CVE and vendor data available as of the publication date. Specific patch versions, vendor guidance, and advisory details are subject to change; always consult the official OpenSSL security advisory for definitive remediation steps. This explainer does not constitute legal, compliance, or formal security advice. Organizations should conduct their own risk assessment aligned with their security policies, regulatory requirements, and operational context. Testing patches in controlled environments before production deployment is mandatory. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for decisions made in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).