High

Possible Heap Buffer Overflow in OpenSSL ASN.1 Multibyte String Conversion

IdentifiersCVE-2026-7383CWE-190

CVE-2026-7383 is a low-severity vulnerability in OpenSSL's ASN.1 multibyte string conversion logic, specifically in ASN1_mbstring_copy() and ASN1_mbstring_ncopy(). When producing Unicode output, the code computes the destination buffer size in a signed int. For BMPSTRING and UNIVERSALSTRING this is done via left-shifting the input character count to account for UTF-16 or UTF-32 width; for UTF8STRING it sums per-character byte counts. With extremely large attacker-controlled input, approximately on the order of 2^30 characters, this size calculation can overflow the signed integer. The overflow can cause an undersized heap allocation; in the worst case for UNIVERSALSTRING, the computed size wraps to zero, OPENSSL_malloc(1) is invoked, and the subsequent copy operation writes far beyond the allocated buffer. OpenSSL states that normal X.509 certificate processing does not reach this condition because ASN1_STRING_set_by_NID() applies DIRSTRING_TYPE restrictions and per-NID length limits, so no standard network protocol or certificate-handling path exercises the bug.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause a heap buffer overflow, leading to process crash, memory corruption, undefined behavior, and potentially attacker-controlled code execution. OpenSSL assessed the issue as Low severity because exploitation is not reachable through standard certificate-processing or network protocol paths and requires unusually large attacker-controlled input.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, avoid passing attacker-controlled large multibyte string data into ASN1_mbstring_copy() or ASN1_mbstring_ncopy(), and avoid custom ASN.1 string handling paths that register permissive string types via ASN1_STRING_TABLE_add(). Enforce strict application-level input size limits well below the overflow threshold, especially for any code paths performing ASN.1 multibyte string conversion outside standard X.509 handling. Standard certificate-processing paths are not believed to be exploitable for this issue.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release provided by the vendor or downstream distribution. The advisory indicates fixes were issued in OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21, with older supported branches also receiving updates where applicable via downstream vendors. Apply the relevant vendor package updates if using a bundled or distribution-maintained OpenSSL. The OpenSSL FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected because the vulnerable code is outside the FIPS module boundary.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A low-severity OpenSSL heap buffer overflow in ASN.1 multibyte string conversion due to signed integer overflow when sizing Unicode output buffers, with limited practical attack surface.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-7383

NVD

nvd.nist.gov/vuln/detail/CVE-2026-7383

MITRE CWE · CWE-190

cwe.mitre.org

github.com

github.com/openssl/security/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6

github.com

github.com/openssl/security/commit/80c15faaf78042bbb8654a0e234c50c381732f74

github.com

github.com/openssl/security/commit/bd17511070fb39a67bfa19682affb765e706a974

github.com

github.com/openssl/security/commit/c332adaced43bcbb85f97410597e951c11ec3083

github.com

github.com/openssl/security/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255

openssl-library.org

openssl-library.org/news/secadv/20260609.txt