High

Heap Buffer Over-read in OpenSSL ASN.1 Content Parsing

IdentifiersCVE-2026-34180CWE-190

CVE-2026-34180 is a low-severity vulnerability in OpenSSL's ASN.1 decoder caused by integer truncation when parsing crafted DER-encoded ASN.1 primitive elements whose content length exceeds 2 gigabytes. On affected 64-bit Unix and Unix-like platforms, the oversized content length is mishandled during d2i_* decoding. In the worst case, the truncated length is interpreted as a request to scan binary content for a terminating zero byte, which can cause OpenSSL to read less than intended or beyond the end of the allocated input buffer. The issue affects applications that pass attacker-controlled ASN.1/DER data to functions such as d2i_X509(), d2i_PKCS7(), or other d2i_* decoding APIs. OpenSSL command-line tools are not affected because BIO-layer checks prevent the vulnerable code path. The issue does not affect 32-bit platforms, 64-bit Windows, or the OpenSSL FIPS modules in the 4.0, 3.6, 3.5, 3.4, and 3.0 branches.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause a heap buffer over-read, which may crash the consuming application and result in denial of service. It may also cause decoded ASN.1 objects to incorporate memory contents read from beyond the end of the supplied input buffer, creating an information disclosure condition. The content notes that in more typical cases such ASN.1 elements would instead be truncated. There is no specific evidence in the provided material that this issue leads to code execution.

Mitigation

If you can’t patch tonight, do this now.

Until patched versions are deployed, avoid passing attacker-supplied DER-encoded ASN.1 data into affected d2i_* decoding functions such as d2i_X509(), d2i_PKCS7(), and similar APIs on affected platforms. Where feasible, enforce strict input size validation before decoding, reject unusually large ASN.1 elements, and reduce exposure of parsing paths that accept untrusted certificates, PKCS#7, or other ASN.1-based objects. OpenSSL command-line tools are not affected because the BIO layer performs checks before the vulnerable code is reached.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release for the affected branch. The provided content states fixes are available in OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, 3.0.21, 1.1.1zh, and 1.0.2zq. Downstream vendors may also provide patched package versions, and vendor-supported updates should be applied where applicable.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A low-severity OpenSSL heap buffer over-read in ASN.1 content parsing caused by integer truncation in the ASN.1 decoder when parsing oversized DER-encoded primitive elements, potentially causing denial of service or unintended memory reads.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-34180

NVD

nvd.nist.gov/vuln/detail/CVE-2026-34180

MITRE CWE · CWE-190

cwe.mitre.org

github.com

github.com/openssl/security/commit/1c6908e4fa5fa568752221d8eaf561a809751e5d

github.com

github.com/openssl/security/commit/cbe418ae978539cf14a398a207dba834c0e93e83

github.com

github.com/openssl/security/commit/d93853c42110d6319e3df07842b488cb9f7ac5ff

github.com

github.com/openssl/security/commit/da5d62af75f69d6fbf7803743d7c56ac75461e43

github.com

github.com/openssl/security/commit/f696c73c3e61b8c502d040af62e690c060908a16

openssl-library.org

openssl-library.org/news/secadv/20260609.txt