Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Potential Use-After-Free in OpenSSL DANE Client Code

IdentifiersCVE-2026-28387CWE-416· Use After Free

CVE-2026-28387 is a low-severity memory-safety flaw in OpenSSL's DANE client processing. Under an uncommon client configuration that performs DANE TLSA-based server authentication, a server TLSA RRset containing both PKIX certificate usages (PKIX-TA(0) and/or PKIX-EE(1)) and DANE-TA(2) certificate usage can trigger a client-side use-after-free and/or double-free condition. The issue is limited to clients that process both of those TLSA usage classes together; clients that treat PKIX usages as unusable per RFC 7672 guidance, such as typical SMTP MTAs, are not affected, and clients that support only PKIX usages while ignoring DANE-TA(2) are also not vulnerable. The vulnerable code is outside the OpenSSL FIPS module boundary.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can corrupt memory in the client process and may lead to application crashes or other denial-of-service conditions. As with use-after-free flaws generally, the consequences can extend to corruption of valid data and potentially arbitrary code execution, although the provided information does not confirm practical code-execution exploitability for this specific issue. The issue affects the client side only.

Mitigation

If you can’t patch tonight, do this now.

Avoid vulnerable DANE client behavior by not processing mixed TLSA RRsets that combine PKIX usages with DANE-TA(2), where operationally feasible. SMTP MTAs that follow RFC 7672 guidance and treat PKIX TLSA usages as unusable are not vulnerable. Clients that ignore DANE-TA(2) and support only PKIX usages are also not vulnerable. More generally, disable or avoid DANE TLSA-based authentication in affected clients until patched if exposure cannot otherwise be constrained.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release. According to the provided content, fixes are included in OpenSSL 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, and 1.1.1zg. OpenSSL 1.0.2 is not affected. Downstream distributions should consume the corresponding vendor-updated packages.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app
alpinelinuxNews
Apr 15, 2026
Alpine Linue stable releases 3.20.10, 3.21.7, 3.22.4, 3.23.4 | Alpine Linux

A specific vulnerability in OpenSSL addressed in Alpine Linux stable releases 3.20.10, 3.21.7, 3.22.4, and 3.23.4.

Read more
help net securityNews
Apr 8, 2026
OpenSSL 3.6.2 lands with eight CVE fixes - Help Net Security

A potential use-after-free in DANE client code in OpenSSL.

Read more
cyberthroneNews
Apr 8, 2026
OpenSSL 3.6.2: The Moderate Severity Wave - TheCyberThrone

A potential use-after-free in OpenSSL DANE client code that can expose affected applications to denial-of-service conditions when processing crafted input.

Read more
openssl libraryNews
Apr 7, 2026
OpenSSL Release Announcement for 3.6.2, 3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg and 1.0.2zp | OpenSSL Library

Potential use-after-free in OpenSSL DANE client code.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-28387
NVD
nvd.nist.gov/vuln/detail/CVE-2026-28387
MITRE CWE · CWE-416
Use After Free
Patch
github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b
Patch
github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe
Patch
github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3
Patch
github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7
Patch
github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177
Vendor Advisory
openssl-library.org/news/secadv/20260407.txt
cert-portal.siemens.com
cert-portal.siemens.com/productcert/html/ssa-032379.html
cert-portal.siemens.com
cert-portal.siemens.com/productcert/html/ssa-265688.html