Medium

OpenSSL TLS Client Double-Free in OCSP Stapled Response Checking

IdentifiersCVE-2026-35188CWE-415· Double Free

CVE-2026-35188 is a double-free vulnerability in the OpenSSL TLS client certificate verification path when processing a crafted OCSP stapled response delivered by a server via the TLS status_request extension. When OCSP stapling is enabled on the client, a malicious server can send a specially crafted stapled OCSP response that triggers a double-free during stapled-response validation/checking. The flaw affects OpenSSL 4.0.0 before 4.0.1 and 3.6.0 before 3.6.3. The vulnerable code is outside the OpenSSL FIPS module boundary, and no FIPS modules are affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation corrupts heap memory through a double-free condition in the client process. The most reliable outcome is denial of service via client crash or other undefined behavior. Depending on allocator behavior, memory layout, and runtime environment, the heap corruption could potentially be developed into attacker-controlled code execution, although the available information states that reliable code execution is technically complex and highly environment-dependent.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable or avoid enabling OCSP stapling processing on TLS clients, since the issue is only reachable when stapled OCSP responses are checked. As a compensating control, restrict client connections to trusted servers where feasible and reduce exposure to attacker-controlled endpoints. Defense-in-depth measures may reduce exploit reliability, but they do not remove the underlying memory-corruption risk.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release: 4.0.1 or later for the 4.0 branch, or 3.6.3 or later for the 3.6 branch. More generally, apply the vendor-provided OpenSSL security update for the affected branch. Validate that linked applications and distributions have incorporated the patched library versions.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

security online infoNews

Jun 10, 2026

OpenSSL Security Patches Fix Remote Code Execution Risk

An OpenSSL double-free vulnerability during OCSP stapling/certificate status evaluation that can be triggered by a malicious external server, leading primarily to application crash.

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A moderate OpenSSL double-free vulnerability in TLS client OCSP stapling response handling that may cause denial of service and potentially code execution in complex environments.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-35188

NVD

nvd.nist.gov/vuln/detail/CVE-2026-35188

MITRE CWE · CWE-415

Double Free

Patch

github.com/openssl/openssl/commit/131145d25659e8749a9ed1afb383484854cffb78

Patch

github.com/openssl/openssl/commit/78d0154cffda03aaaac63a087cc523a6b35fa8fd

Vendor Advisory

openssl-library.org/news/secadv/20260609.txt