Potential Use-after-free in DANE Client Code
Summary
| CVE | CVE-2026-28387 |
|---|---|
| State | PUBLISHED |
| Assigner | openssl |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-07 22:16:20 UTC |
| Updated | 2026-04-23 15:39:25 UTC |
| Description | Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary. |
Risk And Classification
Primary CVSS: v3.1 8.1 HIGH from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.000210000 probability, percentile 0.055150000 (date 2026-04-14)
Problem Types: CWE-416 | CWE-416 CWE-416 Use After Free
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | OpenSSL | OpenSSL | affected 3.6.0 3.6.2 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.5.0 3.5.6 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.4.0 3.4.5 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.3.0 3.3.7 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 3.0.0 3.0.20 semver | Not specified |
| CNA | OpenSSL | OpenSSL | affected 1.1.1 1.1.1zg custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7 | [email protected] | github.com | Patch |
| github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b | [email protected] | github.com | Patch |
| openssl-library.org/news/secadv/20260407.txt | [email protected] | openssl-library.org | Vendor Advisory |
| github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe | [email protected] | github.com | Patch |
| github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3 | [email protected] | github.com | Patch |
| github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177 | [email protected] | github.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Igor Morgenstern (Aisle Research) (en)
CNA: Viktor Dukhovni (en)
CNA: Alexandr Nedvedicky (en)
There are currently no legacy QID mappings associated with this CVE.