MEDIUM 5.0

CVE-2026-35188: OpenSSL TLS OCSP Stapling Double-Free Vulnerability

A flaw in OpenSSL's handling of TLS OCSP stapling—an optimization that allows servers to provide certificate validity proof directly—can cause a double-free memory error in connecting clients. When a malicious server sends a specially crafted OCSP response, it triggers corruption of the client's heap memory. While OCSP stapling is disabled by default, organizations that have explicitly enabled it face exposure. The vulnerability reliably causes denial of service; remote code execution is theoretically possible but difficult to reliably achieve in practice.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-415
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Issue summary: A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, triggering a double-free in the client's certificate verification path. Impact summary: Successful exploitation allows an attacker to corrupt heap memory via a double-free, potentially leading to a Denial of Service or possibly an attacker controlled code execution or other undefined behavior. If OCSP stapling is enabled and the TLS client connects to a malicious server, a crafted OCSP stapled response can trigger a double free in the TLS client when the stapled response is checked. The OCSP stapling is not enabled by default. Reliable code execution through a double-free is technically complex and highly environment-dependent but the Denial of Service impact is straightforward to achieve, warranting Moderate severity. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35188 is a double-free vulnerability in OpenSSL's certificate verification code path triggered by a malicious server delivering a crafted OCSP stapled response via the TLS status_request extension. The flaw resides outside the OpenSSL FIPS module boundary. Exploitation requires the client to have OCSP stapling enabled and to connect to an attacker-controlled server; the resulting heap corruption can lead to process termination or potentially to code execution depending on heap state and environment specifics. The attack vector is network-based with low privilege requirements and no user interaction needed.

Business impact

The denial-of-service impact affects TLS clients that rely on OCSP stapling for certificate validation—particularly relevant for services handling high-volume connections, where connection exhaustion could disrupt availability. Organizations running OpenSSL-based TLS clients with OCSP stapling enabled should treat this as a stability and availability risk. The risk of remote code execution, while not straightforward, means that patching should be prioritized in defense-in-depth strategies even if DoS alone is the primary concern.

Affected systems

OpenSSL is the affected product. The vulnerability applies to TLS clients using OpenSSL where OCSP stapling (status_request extension) has been explicitly enabled in the application configuration. Since OCSP stapling is opt-in by default, exposure is limited to environments that have specifically activated this feature. Check your OpenSSL build configuration and application settings to determine if this is enabled in your deployment.

Exploitability

Exploitation requires network access and either local privilege context or ability to direct the target client to a malicious server. OCSP stapling must be enabled—a non-default configuration that significantly reduces attack surface. An attacker must craft a valid-looking but malicious OCSP response; the mechanics are well-understood but require direct control of the server the client connects to or a position to intercept and modify responses. There is no evidence of active exploitation or proof-of-concept code in public circulation at this time.

Remediation

Apply the OpenSSL security patch addressing CVE-2026-35188 once released by the OpenSSL project. As an interim measure, disable OCSP stapling in TLS client configurations if it is not essential to your operations. Monitor OpenSSL security advisories for patch availability and version guidance. Verify that FIPS-validated OpenSSL modules are not affected, as the vulnerability lies outside the FIPS module boundary.

Patch guidance

Monitor the OpenSSL project's official security advisory page for patch availability and affected version details. Once a patch is released, test it in a non-production environment before deployment. Patch the OpenSSL library used by your TLS clients, whether that is system-wide or embedded in an application. Verify after patching that OCSP stapling functionality still operates correctly if it is required for your certificate validation workflow.

Detection guidance

Monitor for unexpected TLS client crashes or process terminations, especially in services with OCSP stapling enabled. Inspect application logs for segmentation faults or heap corruption warnings. Use address sanitizers (ASAN) or memory debugging tools during testing to detect double-free errors early. Network-based detection is difficult, as the attack looks like a normal TLS handshake followed by stapled certificate delivery; focus detection efforts on endpoint behavior and heap state anomalies.

Why prioritize this

Despite the MEDIUM CVSS score, prioritize this vulnerability for organizations that have explicitly enabled OCSP stapling in production TLS clients. The attack requires no user interaction and can be triggered remotely by a malicious server, making it a straightforward denial-of-service vector. Although reliable code execution is not trivial, the ease of triggering DoS and the potential for undefined behavior warrant timely patching in any environment running vulnerable configurations.

Risk score, explained

CVSS 5.0 (MEDIUM) reflects the network attack vector, the requirement for explicit configuration and server-side attacker presence, and the complexity of reliably achieving code execution. The score appropriately weights the guaranteed denial-of-service impact against the lower probability of exploitable code execution. Organizations with OCSP stapling disabled face minimal practical risk; those with it enabled should treat the score as understating their operational risk and prioritize accordingly.

Frequently asked questions

Is OCSP stapling enabled by default in OpenSSL?

No. OCSP stapling is an optional optimization that must be explicitly enabled in application configuration. If you have not specifically activated the status_request extension in your TLS client settings, you are not exposed to this vulnerability.

Can this vulnerability affect FIPS-validated OpenSSL builds?

No. The vulnerable code path lies outside the OpenSSL FIPS module boundary. Organizations using FIPS-validated modules for cryptographic operations are not affected by this issue.

What is the practical difference between denial-of-service and code execution risk here?

Denial of service via process crash is straightforward and reliably triggered. Code execution via double-free heap corruption is theoretically possible but depends on heap layout, memory allocator state, and environment-specific conditions—making it difficult to reliably exploit in practice. Defenders should assume DoS is the primary threat while remaining vigilant for unexpected behavior.

How should we respond if we discover OCSP stapling enabled in our environment?

First, verify whether OCSP stapling is truly required for your certificate validation workflow. If not essential, disable it as an immediate interim control. In parallel, monitor for OpenSSL patch availability and plan deployment. If OCSP stapling is required, accelerate patch testing and deployment timelines.

This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores, affected product versions, and patch availability are provided by the OpenSSL project and NIST; verify against the official OpenSSL security advisory for authoritative guidance. This content is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessment based on their specific infrastructure, configurations, and threat model before making patching or remediation decisions. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).