{"api_version":"1","generated_at":"2026-06-10T13:42:37+00:00","cve":"CVE-2026-7383","urls":{"html":"https://cve.report/CVE-2026-7383","api":"https://cve.report/api/cve/CVE-2026-7383.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-7383","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-7383"},"summary":{"title":"Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion","description":"Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary.","state":"PUBLISHED","assigner":"openssl","published_at":"2026-06-09 17:17:50","updated_at":"2026-06-10 08:16:25"},"problem_types":["CWE-787","CWE-787 CWE-787 Out-of-bounds Write"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6","name":"https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974","name":"https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083","name":"https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74","name":"https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://openssl-library.org/news/secadv/20260609.txt","name":"https://openssl-library.org/news/secadv/20260609.txt","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255","name":"https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255","refsource":"openssl-security@openssl.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6","name":"https://github.com/openssl/security/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/80c15faaf78042bbb8654a0e234c50c381732f74","name":"https://github.com/openssl/security/commit/80c15faaf78042bbb8654a0e234c50c381732f74","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/bd17511070fb39a67bfa19682affb765e706a974","name":"https://github.com/openssl/security/commit/bd17511070fb39a67bfa19682affb765e706a974","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/c332adaced43bcbb85f97410597e951c11ec3083","name":"https://github.com/openssl/security/commit/c332adaced43bcbb85f97410597e951c11ec3083","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/openssl/security/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255","name":"https://github.com/openssl/security/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255","refsource":"MITRE","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-7383","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7383","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 4.0.0 4.0.1 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.6.0 3.6.3 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.5.0 3.5.7 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.4.0 3.4.6 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 3.0.0 3.0.21 semver","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 1.1.1 1.1.1zh custom","platforms":[]},{"source":"CNA","vendor":"OpenSSL","product":"OpenSSL","version":"affected 1.0.2 1.0.2zq custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Zehua Qiao","lang":"en"},{"source":"CNA","value":"Jinwen He","lang":"en"},{"source":"CNA","value":"Viktor Dukhovni","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-7383","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-06-09T00:00:00+00:00","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-10T03:58:57.944Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"OpenSSL","vendor":"OpenSSL","versions":[{"lessThan":"4.0.1","status":"affected","version":"4.0.0","versionType":"semver"},{"lessThan":"3.6.3","status":"affected","version":"3.6.0","versionType":"semver"},{"lessThan":"3.5.7","status":"affected","version":"3.5.0","versionType":"semver"},{"lessThan":"3.4.6","status":"affected","version":"3.4.0","versionType":"semver"},{"lessThan":"3.0.21","status":"affected","version":"3.0.0","versionType":"semver"},{"lessThan":"1.1.1zh","status":"affected","version":"1.1.1","versionType":"custom"},{"lessThan":"1.0.2zq","status":"affected","version":"1.0.2","versionType":"custom"}]}],"credits":[{"lang":"en","type":"reporter","value":"Zehua Qiao"},{"lang":"en","type":"reporter","value":"Jinwen He"},{"lang":"en","type":"remediation developer","value":"Viktor Dukhovni"}],"datePublic":"2026-06-09T14:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Issue summary: A signed integer overflow when sizing the destination<br>buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap<br>buffer overflow.<br><br>Impact summary: A heap buffer overflow may lead to a crash or possibly<br>attacker controlled code execution or other undefined behaviour.<br><br>In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination<br>size for Unicode output is computed in a signed int: by left shift<br>of the input character count for BMPSTRING (UTF-16) and<br>UNIVERSALSTRING (UTF-32), and by summing per-character byte counts<br>for UTF8STRING. The calculation overflows when the input reaches<br>around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30<br>characters) the size wraps to zero, OPENSSL_malloc(1) is called, and<br>the subsequent character copy writes several gigabytes past the<br>one-byte allocation.<br><br>X.509 certificate processing routes through ASN1_STRING_set_by_NID(),<br>whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID<br>size limits cap the input length; no network protocol or<br>certificate-handling path in OpenSSL exercises the overflow.<br>Triggering the bug requires an application that calls<br>ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers<br>a custom string type via ASN1_STRING_TABLE_add(), with<br>attacker-controlled input on the order of half a gigabyte or more.<br>For these reasons this issue was assigned Low severity.<br><br>The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by<br>this issue, as the affected code is outside the OpenSSL FIPS module<br>boundary."}],"value":"Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary."}],"metrics":[{"format":"other","other":{"content":{"text":"Low"},"type":"https://openssl-library.org/policies/general/security-policy/"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"CWE-787 Out-of-bounds Write","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-10T07:47:47.578Z","orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl"},"references":[{"name":"OpenSSL Advisory","tags":["vendor-advisory"],"url":"https://openssl-library.org/news/secadv/20260609.txt"},{"name":"4.0.1 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255"},{"name":"3.6.3 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083"},{"name":"3.5.7 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74"},{"name":"3.4.6 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6"},{"name":"3.0.21 git commit","tags":["patch"],"url":"https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974"}],"source":{"discovery":"UNKNOWN"},"title":"Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","assignerShortName":"openssl","cveId":"CVE-2026-7383","datePublished":"2026-06-09T16:03:15.508Z","dateReserved":"2026-04-29T08:21:07.253Z","dateUpdated":"2026-06-10T07:47:47.578Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-09 17:17:50","lastModifiedDate":"2026-06-10 08:16:25","problem_types":["CWE-787","CWE-787 CWE-787 Out-of-bounds Write"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"7383","Ordinal":"1","Title":"Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversi","CVE":"CVE-2026-7383","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"7383","Ordinal":"1","NoteData":"Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary.","Type":"Description","Title":"Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversi"}]}}}