Heap Buffer Overflow in OpenSSL Affecting X.509 Certificate Handling
CVE-2026-31789

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
7 April 2026

What is CVE-2026-31789?

A heap buffer overflow vulnerability in OpenSSL can occur when converting an unusually large OCTET STRING in X.509 certificates, specifically in extensions like Subject Key Identifier and Authority Key Identifier. This issue arises on 32-bit platforms, where an attacker may craft a certificate with an excessively large OCTET STRING, leading to a potential crash or code execution due to improper buffer allocation. While printing or logging such large certificates is rare, this vulnerability underscores the importance of handling X.509 certificates securely.

Affected Version(s)

OpenSSL 3.6.0 < 3.6.2

OpenSSL 3.5.0 < 3.5.6

OpenSSL 3.4.0 < 3.4.5

References

https://openssl-library.org/news/secadv/20260407.txt
vendor-advisory
https://github.com/openssl/openssl/commit/a24216018e1ede8...
patch
https://github.com/openssl/openssl/commit/945b935ac66cc7f...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Quoc Tran (Xint.io - US Team)
Igor Ustinov
.