OpenSSL ASN.1 Multibyte String Conversion Heap Buffer Overflow
CVE-2026-7383 is a low-severity memory corruption vulnerability in OpenSSL's ASN.1 multibyte string conversion logic, specifically in ASN1_mbstring_copy() and ASN1_mbstring_ncopy(). When producing Unicode output, the code computes the destination buffer size in a signed int. For BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), the size is derived by left-shifting the input character count; for UTF8STRING, it is derived by summing per-character byte counts. With extremely large attacker-controlled input, approximately on the order of 2^30 characters, these calculations can overflow the signed integer used for sizing. In the worst case, such as UNIVERSALSTRING input near 2^30 characters, the computed size can wrap to zero, causing OPENSSL_malloc(1) to allocate a one-byte buffer, after which the subsequent copy operation writes far beyond the allocation, resulting in a heap buffer overflow. OpenSSL states that normal X.509 certificate processing does not reach this condition because ASN1_STRING_set_by_NID() applies DIRSTRING_TYPE restrictions that exclude UNIVERSALSTRING and enforces per-NID size limits. Exploitation therefore depends on application-specific use of the affected APIs or custom ASN.1 string type registration via ASN1_STRING_TABLE_add().
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An OpenSSL vulnerability addressed in Alpine Linux 3.22.5 and 3.23.5 as part of the June 9, 2026 OpenSSL advisory.
An OpenSSL vulnerability addressed in Alpine Linux 3.24.1 as part of the June 9, 2026 advisory.
A low-severity OpenSSL heap buffer overflow in ASN.1 multibyte string conversion due to signed integer overflow when sizing Unicode output buffers, with limited practical attack surface.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.