HIGH 8.1

CVE-2026-7383: OpenSSL ASN1 Signed Integer Overflow Leading to Heap Corruption

OpenSSL contains a flaw in how it calculates memory buffer sizes when converting text strings to Unicode formats. When processing very large inputs—on the order of half a gigabyte or more—the size calculation wraps around to an incorrect (much smaller) value due to signed integer overflow. This causes OpenSSL to allocate a tiny buffer but then write far more data into it, corrupting the heap. An attacker who can supply specially crafted input directly to the affected functions could crash the application or potentially execute arbitrary code, though real-world exploitation requires unusual circumstances.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-787
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in ASN1_mbstring_copy() and ASN1_mbstring_ncopy(), functions that convert character strings to ASN.1 Unicode formats (BMPSTRING/UTF-16, UNIVERSALSTRING/UTF-32, UTF8STRING). The destination buffer size is computed using a signed 32-bit integer. For BMPSTRING and UNIVERSALSTRING, the calculation uses left-shift operations that overflow when the input character count approaches 2^30. In the worst case (UNIVERSALSTRING with ~2^30 characters), the size wraps to zero, triggering OPENSSL_malloc(1) and followed by an out-of-bounds heap write of several gigabytes. UTF8STRING calculates size by summing per-character byte counts, which can also overflow. X.509 certificate processing is protected by input validation at higher layers (ASN1_STRING_set_by_NID), so the vulnerability is not exploitable through standard certificate handling. Exploitation requires direct function calls or custom ASN1 type registration with attacker-controlled input exceeding roughly 500 MB in size.

Business impact

The severity classification reflects the restricted attack surface: X.509 certificate processing—OpenSSL's most common use case in production—cannot trigger this flaw due to input validation at higher layers. However, applications that directly call the vulnerable ASN1 functions or implement custom ASN1 string types remain at risk. A successful exploit could lead to denial of service (application crash) or, in principle, code execution. Organizations using OpenSSL in standard TLS/certificate validation workflows face minimal direct risk; those integrating OpenSSL's ASN1 parsing for custom or niche use cases should assess whether untrusted data flows to the affected functions.

Affected systems

OpenSSL versions 3.0 through 4.0 are affected. The FIPS modules within OpenSSL 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected because the vulnerable code lies outside the FIPS module boundary. Any application statically or dynamically linking OpenSSL and directly invoking ASN1_mbstring_copy() or ASN1_mbstring_ncopy() with untrusted input is potentially vulnerable. This is less common than standard certificate or TLS processing, which use higher-level APIs with built-in guards.

Exploitability

Exploitability is constrained by several factors. First, triggering the overflow requires input on the order of 500 MB to several gigabytes—a substantial payload that is impractical in many network contexts. Second, most common OpenSSL use cases (TLS, certificate validation) do not route untrusted data through the vulnerable functions; they use ASN1_STRING_set_by_NID(), which enforces per-NID length limits and excludes UNIVERSALSTRING. Third, successful exploitation requires either direct calls to the vulnerable functions or custom ASN1 type registration, neither of which is typical. The CVSS 3.1 score of 8.1 (HIGH) reflects potential for code execution if exploitation were possible; the actual CVSS temporality is tempered by the low probability in practice.

Remediation

Update OpenSSL to a patched version that corrects the signed integer overflow in buffer size computation. Verify the specific patched version against the official OpenSSL security advisory. Applications should review whether they directly call ASN1_mbstring_copy() or ASN1_mbstring_ncopy() or register custom ASN1 string types; if so, ensure that input size and encoding are strictly validated before passing to these functions. Standard TLS and certificate processing workflows need not be re-architected.

Patch guidance

Apply the security update released by the OpenSSL project in response to CVE-2026-7383. Consult the official OpenSSL advisory for specific patched version numbers and upgrade paths for your branch (e.g., 3.0.x, 3.4.x, 3.6.x, 4.0.x). FIPS-validated deployments should note that the FIPS module boundary is not crossed by this vulnerability, so module re-validation may not be required; confirm with your FIPS provider or vendor. Testing should confirm that applications linking the updated OpenSSL library function correctly, especially if custom ASN1 processing is in use.

Detection guidance

Monitor for unexpected process crashes or memory violations in applications using OpenSSL, particularly those that process or parse ASN1 structures from untrusted sources. Memory sanitizers (ASAN, MSAN) and heap corruption detectors will flag the out-of-bounds write if the vulnerability is triggered during testing. Review application logs for calls to ASN1_mbstring_copy() or ASN1_mbstring_ncopy() with unusually large input sizes (>100 MB). Intrusion detection can be of limited value here because the payload size and direct function calls are hard to observe at the network level in typical TLS scenarios.

Why prioritize this

Although the CVSS score is 8.1 (HIGH), the actual exploitability in production is low because standard OpenSSL use cases are protected by input validation at higher layers. Prioritize patching if your organization uses OpenSSL for custom ASN1 parsing, direct calls to vulnerable functions, or accepts untrusted ASN1 input in sizes exceeding 100 MB. For standard TLS and certificate validation use cases, patching should follow your normal patch cycle but is not an emergency; the risk is real but indirect.

Risk score, explained

The CVSS 3.1 score of 8.1 reflects the technical severity of a heap buffer overflow that could lead to code execution (HIGH impact across confidentiality, integrity, and availability). The attack vector is network-accessible (AV:N), and no privileges or user interaction are required (PR:N, UI:N). However, the attack complexity is high (AC:H) because the attacker must supply half a gigabyte or more of input, which is impractical in many network contexts, and because standard OpenSSL processing paths are guarded by length limits. The score does not fully discount the restricted real-world attack surface; organizations using only standard TLS/certificate workflows should treat this as a moderate-priority patch rather than a critical one.

Frequently asked questions

Does this vulnerability affect my TLS connections or X.509 certificate processing?

Very unlikely. OpenSSL's certificate and TLS code paths use ASN1_STRING_set_by_NID(), which enforces length limits and explicitly excludes UNIVERSALSTRING, the most dangerous variant. You are affected only if you call ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly in your application code.

Can an attacker exploit this over the network without sending half a gigabyte of data?

No. The overflow occurs only when the input reaches approximately 2^30 characters (around 500 MB to several gigabytes depending on encoding). An attacker cannot trigger the flaw with smaller payloads, which is a significant practical barrier.

Are FIPS-validated deployments affected?

No. The OpenSSL FIPS modules (versions 3.0–4.0) do not include the vulnerable code path. If you are using an OpenSSL FIPS module, you are not at risk from this vulnerability, though you should still update the non-FIPS OpenSSL library for defense in depth.

What should I do if my application directly calls ASN1_mbstring_copy()?

Apply the security patch from OpenSSL immediately and validate that all untrusted input to these functions is size-limited (e.g., <100 MB). Consider adding explicit length checks or migrating to higher-level OpenSSL APIs if feasible.

This analysis is provided for informational purposes and does not constitute legal or professional security advice. Organizations should conduct their own risk assessment based on their specific use of OpenSSL and ASN1 processing. Patch version numbers, KEV status, and vendor-specific guidance should be verified against official OpenSSL security advisories and vendor documentation. SEC.co makes no warranty regarding the accuracy or completeness of this analysis. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).