High

Heap Buffer Over-read in OpenSSL ASN.1 Content Parsing

IdentifiersCVE-2026-34180CWE-190

CVE-2026-34180 is a low-severity vulnerability in OpenSSL's ASN.1 decoder caused by integer truncation when parsing crafted DER-encoded ASN.1 primitive elements whose content length exceeds 2 gigabytes. On affected 64-bit Unix and Unix-like platforms, the oversized length is mishandled during decoding of attacker-controlled ASN.1 data passed to functions such as d2i_X509(), d2i_PKCS7(), and other d2i_* decoders. In the worst case, the truncated length is treated as a request to scan binary content for a terminating zero byte, which can cause a heap buffer over-read and result in the decoded ASN.1 object incorporating memory beyond the end of the input buffer. OpenSSL command-line tools are not affected because BIO-layer checks prevent the vulnerable code path. The issue does not affect 32-bit platforms or 64-bit Windows.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause application crashes, resulting in denial of service, or can lead to information disclosure by causing OpenSSL to read memory beyond the end of the supplied input buffer and load that memory into the decoded ASN.1 object. The issue is described as a heap buffer over-read rather than a write primitive, so the documented impacts are process instability/crash and unintended exposure of adjacent heap contents.

Mitigation

If you can’t patch tonight, do this now.

Until patches are deployed, avoid passing attacker-controlled DER-encoded ASN.1 data into affected d2i_* decoding functions, including d2i_X509() and d2i_PKCS7(). Where feasible, validate ASN.1 input sizes before decoding, reject unusually large ASN.1 primitive content lengths, and restrict exposure of vulnerable parsing paths to trusted inputs only. OpenSSL command-line tools are not affected because BIO-layer checks block the vulnerable path.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release. The provided advisory context states the issue is fixed in OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, 3.0.21, 1.1.1zh, and 1.0.2zq. Apply vendor-packaged updates where OpenSSL is bundled by the operating system or application stack. For downstream platforms, use the vendor-provided patched packages referenced in their advisories.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

FreebsdFreebsdapplication

OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

alpinelinuxNews

Jun 21, 2026

Alpine 3.22.5, 3.23.5 released | Alpine Linux

An OpenSSL vulnerability addressed in Alpine Linux 3.22.5 and 3.23.5 as part of the June 9, 2026 OpenSSL advisory.

alpinelinuxNews

Jun 13, 2026

Alpine 3.24.1 released | Alpine Linux

An OpenSSL vulnerability addressed in Alpine Linux 3.24.1 as part of the June 9, 2026 advisory.

openssl libraryNews

Jun 9, 2026

Vulnerabilities 4.0 | OpenSSL Library

A low-severity OpenSSL heap buffer over-read in ASN.1 content parsing caused by integer truncation in the ASN.1 decoder when parsing oversized DER-encoded primitive elements, potentially causing denial of service or unintended memory reads.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity16

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-34180

NVD

nvd.nist.gov/vuln/detail/CVE-2026-34180

MITRE CWE · CWE-190

cwe.mitre.org

Patch

github.com/openssl/openssl/commit/1c6908e4fa5fa568752221d8eaf561a809751e5d

Patch

github.com/openssl/openssl/commit/cbe418ae978539cf14a398a207dba834c0e93e83

Patch

github.com/openssl/openssl/commit/d93853c42110d6319e3df07842b488cb9f7ac5ff

Patch

github.com/openssl/openssl/commit/da5d62af75f69d6fbf7803743d7c56ac75461e43

Patch

github.com/openssl/openssl/commit/f696c73c3e61b8c502d040af62e690c060908a16

Vendor Advisory

openssl-library.org/news/secadv/20260609.txt