Skip to main content

OpenSSL CVE-2026-7383

| EUVD-2026-35474 HIGH
Out-of-bounds Write (CWE-787)
2026-06-09 GHSA-w853-v86g-gv7j
OpenSSL Memory Corruption Buffer Overflow
High
Disputed · 8.1 Vendor
Share

Severity by source

Sources disagree (Low–High)
Vendor (CNA) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 09, 2026 - 17:22 vuln.today
Analysis Generated
Jun 09, 2026 - 17:22 vuln.today
CVSS changed
Jun 09, 2026 - 17:22 NVD
8.1 (HIGH)
CVE Published
Jun 09, 2026 - 11:43 nvd
HIGH 8.1
CVE Published
Jun 09, 2026 - 11:43 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via GitHub release of openssl/openssl. NVD scoring and full description are pending.

Articles & Coverage 1

News 7 New OpenSSL Vulnerabilities - 1 Critical, 6 High Severity Jun 10, 2026

AnalysisAI

Heap buffer overflow in OpenSSL's ASN.1 multibyte string conversion routine allows remote attackers to corrupt memory and potentially achieve code execution against applications using affected OpenSSL versions prior to 4.0.1. The flaw was disclosed via the OpenSSL 4.0.1 security patch release alongside 17 other CVEs and is classified as a high-severity issue (CVSS 8.1) with no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify service parsing ASN.1 input
Delivery
Craft malicious multibyte string payload
Exploit
Deliver via TLS handshake or CMS message
Execution
Trigger heap buffer overflow in conversion
Persist
Corrupt adjacent heap metadata
Impact
Achieve code execution in parser context
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to invoke OpenSSL's ASN.1 multibyte string conversion on attacker-controlled data, which typically means parsing an externally supplied X.509 certificate, CMS/PKCS#7 message, or similar ASN.1-encoded structure containing a maliciously crafted multibyte string field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 8.1 score reflects a network-reachable, unauthenticated path (AV:N/PR:N/UI:N) with full CIA impact (C:H/I:H/A:H), but the High attack complexity (AC:H) signals that exploitation requires specific conditions - likely a crafted ASN.1 payload that bypasses normal length checks and triggers the overflow reliably. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious X.509 certificate, CMS message, or other ASN.1-encoded blob with a specially shaped multibyte string field and delivers it to a target service - for example, by initiating a TLS connection that presents a malicious client certificate, or by sending a signed/encrypted email to a server that parses S/MIME content. When OpenSSL converts the multibyte string, the heap buffer overflow corrupts adjacent allocations, potentially enabling code execution in the context of the parsing process. …
Remediation Vendor-released patch: OpenSSL 4.0.1 - upgrade immediately to this version via https://github.com/openssl/openssl/releases/tag/openssl-4.0.1 and consult the official advisory at https://openssl-library.org/news/secadv/20260609.txt for branch-specific guidance. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Complete inventory of systems running OpenSSL versions prior to 4.0.1. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49440 HIGH
7.4 Jun 16

Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin
CVE-2026-48491 HIGH
Jun 16

mTLS bypass in Traefik 3.7.0-3.7.1 lets unauthenticated remote clients reach backends protected by wildcard-router TLSOp
CVE-2026-53622 HIGH
Jun 16

Authentication bypass in Traefik v3.6.17, v3.7.0, and v3.7.1 allows unauthenticated remote attackers to bypass router-sp

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.3 Affected

Share

CVE-2026-7383 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy