Double-free When Checking OCSP Stapled Response_CVE-2026-35188

5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

Issue summary: A malicious server can exploit TLS OCSP stapling by delivering
a crafted response through the status_request extension, triggering a
double-free in the client's certificate verification path.

Impact summary: Successful exploitation allows an attacker to corrupt heap
memory via a double-free, potentially leading to a Denial of Service or
possibly an attacker controlled code execution or other undefined behavior.

If OCSP stapling is enabled and the TLS client connects to a malicious server,
a crafted OCSP stapled response can trigger a double free in the TLS client
when the stapled response is checked.

The OCSP stapling is not enabled by default. Reliable code execution
through a double-free is technically complex and highly environment-dependent
but the Denial of Service impact is straightforward to achieve, warranting
Moderate severity.

No FIPS modules are affected by this issue as the affected code is outside
the OpenSSL FIPS module boundary.

Basic Information

ID CVE-2026-35188

Source openssl

Published Jun 9, 2026 at 16:03

Modified Jun 10, 2026 at 20:02

Affected Product

Vendor OpenSSL

Product OpenSSL

Version 4.0.0

Affected Versions OpenSSL OpenSSL 4.0.0
OpenSSL OpenSSL 3.6.0

CWE Classification

CWE-415

References

{
    "lastseen": "",
    "description": "Issue summary: A malicious server can exploit TLS OCSP stapling by delivering\na crafted response through the status_request extension, triggering a\ndouble-free in the client's certificate verification path.\n\nImpact summary: Successful exploitation allows an attacker to corrupt heap\nmemory via a double-free, potentially leading to a Denial of Service or\npossibly an attacker controlled code execution or other undefined behavior.\n\nIf OCSP stapling is enabled and the TLS client connects to a malicious server,\na crafted OCSP stapled response can trigger a double free in the TLS client\nwhen the stapled response is checked.\n\nThe OCSP stapling is not enabled by default. Reliable code execution\nthrough a double-free is technically complex and highly environment-dependent\nbut the Denial of Service impact is straightforward to achieve, warranting\nModerate severity.\n\nNo FIPS modules are affected by this issue as the affected code is outside\nthe OpenSSL FIPS module boundary.",
    "published": "2026-06-09T16:03:24.395Z",
    "modified": "2026-06-10T20:02:41.587Z",
    "type": "cve",
    "title": "Double-free When Checking OCSP Stapled Response",
    "source": "openssl",
    "references": "https://openssl-library.org/news/secadv/20260609.txt\nhttps://github.com/openssl/openssl/commit/78d0154cffda03aaaac63a087cc523a6b35fa8fd\nhttps://github.com/openssl/openssl/commit/131145d25659e8749a9ed1afb383484854cffb78",
    "id": "CVE-2026-35188",
    "bulletinFamily": "",
    "cwe": [
        "CWE-415"
    ],
    "cvelist": null,
    "sourceData": "OpenSSL OpenSSL 4.0.0\nOpenSSL OpenSSL 3.6.0",
    "sourceHref": "",
    "cvss": {
        "score": 5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "OpenSSL",
    "version": "4.0.0",
    "vendor": "OpenSSL",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}