Use-after-free Vulnerability in OpenSSL Products Related to DANE TLSA Records
CVE-2026-28387

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
7 April 2026

What is CVE-2026-28387?

An uncommon configuration involving clients that perform DANE TLSA-based server authentication can result in a use-after-free and double-free vulnerability. This issue occurs when clients connect to a server that publishes TLSA records using both PKIX-TA(0/PKIX-EE(1) and DANE-TA(2) certificate usages. Although this is a rare scenario, it may lead to data corruption, application crashes, or the execution of arbitrary code. Most standard deployments, particularly in SMTP MTAs, mitigate this risk by ignoring TLSA records with PKIX usages, making those clients safe from this vulnerability. FIPS modules remain unaffected as the problematic code lies outside the FIPS boundary.

Affected Version(s)

OpenSSL 3.6.0 < 3.6.2

OpenSSL 3.5.0 < 3.5.6

OpenSSL 3.4.0 < 3.4.5

References

https://openssl-library.org/news/secadv/20260407.txt
vendor-advisory
https://github.com/openssl/openssl/commit/258a8f63b26995b...
patch
https://github.com/openssl/openssl/commit/444958deaf450ae...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Igor Morgenstern (Aisle Research)
Viktor Dukhovni
Alexandr Nedvedicky
.