Use-after-free Vulnerability in OpenSSL Products Related to DANE TLSA Records
CVE-2026-28387

8.1HIGH

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
7 April 2026

What is CVE-2026-28387?

An uncommon configuration involving clients that perform DANE TLSA-based server authentication can result in a use-after-free and double-free vulnerability. This issue occurs when clients connect to a server that publishes TLSA records using both PKIX-TA(0/PKIX-EE(1) and DANE-TA(2) certificate usages. Although this is a rare scenario, it may lead to data corruption, application crashes, or the execution of arbitrary code. Most standard deployments, particularly in SMTP MTAs, mitigate this risk by ignoring TLSA records with PKIX usages, making those clients safe from this vulnerability. FIPS modules remain unaffected as the problematic code lies outside the FIPS boundary.

Affected Version(s)

OpenSSL 3.6.0 < 3.6.2

OpenSSL 3.5.0 < 3.5.6

OpenSSL 3.4.0 < 3.4.5

References

https://openssl-library.org/news/secadv/20260407.txt
vendor-advisory
https://github.com/openssl/openssl/commit/258a8f63b26995b...
patch
https://github.com/openssl/openssl/commit/444958deaf450ae...
patch

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Igor Morgenstern (Aisle Research)
Viktor Dukhovni
Alexandr Nedvedicky
.