High

Heap Buffer Overflow in OpenSSL ASN.1 Multibyte String Conversion

IdentifiersCVE-2026-7383CWE-190

CVE-2026-7383 is a low-severity vulnerability in OpenSSL's ASN.1 multibyte string conversion logic, specifically in ASN1_mbstring_copy() and ASN1_mbstring_ncopy(). The flaw is caused by a signed integer overflow when calculating the destination buffer size for Unicode output. For BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), the size is derived by left-shifting the input character count; for UTF8STRING, the size is accumulated from per-character byte counts. When the input reaches roughly 2^30 characters, the signed int used for sizing can overflow. In the worst case, a UNIVERSALSTRING input of about 2^30 characters causes the computed size to wrap to zero, resulting in OPENSSL_malloc(1) followed by a copy operation that writes far beyond the allocated heap buffer. OpenSSL states that normal X.509 certificate processing does not reach this condition because ASN1_STRING_set_by_NID() applies DIRSTRING_TYPE restrictions and per-NID length limits, excluding the dangerous UNIVERSALSTRING path in certificate handling.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause a heap buffer overflow, leading to process crashes, memory corruption, undefined behavior, and potentially attacker-controlled code execution. OpenSSL assessed the issue as Low severity because no standard network protocol or certificate-processing path in OpenSSL is known to exercise the vulnerable condition, and exploitation requires unusually large attacker-controlled input.

Mitigation

If you can’t patch tonight, do this now.

Avoid exposing ASN1_mbstring_copy() and ASN1_mbstring_ncopy() to attacker-controlled input, especially very large Unicode strings. Do not register custom ASN.1 string types via ASN1_STRING_TABLE_add() in ways that permit oversized attacker-supplied BMPSTRING, UNIVERSALSTRING, or UTF8STRING values. Enforce strict application-level maximum input lengths well below the overflow threshold. Where possible, rely on standard OpenSSL certificate-handling paths rather than direct use of the affected low-level APIs.

Remediation

Patch, then assume compromise.

Upgrade to a vendor-fixed OpenSSL release for the affected branch. The provided context indicates fixes were issued in OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21. Downstream operating system and distribution packages should be updated to their corresponding patched builds. If source-level remediation is required, the vulnerable size calculations in ASN1_mbstring_copy() and ASN1_mbstring_ncopy() must be changed to use overflow-safe bounds checking and appropriately sized integer types before allocation and copy operations.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A low-severity OpenSSL heap buffer overflow in ASN.1 multibyte string conversion due to signed integer overflow when sizing Unicode output buffers, with limited practical attack surface.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-7383

NVD

nvd.nist.gov/vuln/detail/CVE-2026-7383

MITRE CWE · CWE-190

cwe.mitre.org

github.com

github.com/openssl/security/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6

github.com

github.com/openssl/security/commit/80c15faaf78042bbb8654a0e234c50c381732f74

github.com

github.com/openssl/security/commit/bd17511070fb39a67bfa19682affb765e706a974

github.com

github.com/openssl/security/commit/c332adaced43bcbb85f97410597e951c11ec3083

github.com

github.com/openssl/security/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255

openssl-library.org

openssl-library.org/news/secadv/20260609.txt