CVE-2026-35188 - Vulnerability Details

- Double-free When Checking OCSP Stapled Response

Description

Issue summary: A malicious server can exploit TLS OCSP stapling by delivering
a crafted response through the status_request extension, triggering a
double-free in the client's certificate verification path.

Impact summary: Successful exploitation allows an attacker to corrupt heap
memory via a double-free, potentially leading to a Denial of Service or
possibly an attacker controlled code execution or other undefined behavior.

If OCSP stapling is enabled and the TLS client connects to a malicious server,
a crafted OCSP stapled response can trigger a double free in the TLS client
when the stapled response is checked.

The OCSP stapling is not enabled by default. Reliable code execution
through a double-free is technically complex and highly environment-dependent
but the Denial of Service impact is straightforward to achieve, warranting
Moderate severity.

No FIPS modules are affected by this issue as the affected code is outside
the OpenSSL FIPS module boundary.

Published: 2026-06-09

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A malicious TLS server can send a crafted OCSP stapled response via the status_request extension to a client that has OCSP stapling enabled. The OpenSSL client library then performs the certificate verification and, due to a double‑free bug, releases memory that is still in use. The resulting heap corruption can lead to a service disruption or, if successfully exploited, to arbitrary code execution on the client. The flaw is a classic CWE‑415 double‑free vulnerability.

Affected Systems

The vulnerability affects the OpenSSL library. No specific version range is provided, and OCSP stapling is not enabled by default. FIPS modules are not affected, as the code that misbehaves lies outside the FIPS module boundary.

Risk and Exploitability

The risk level is moderate because a denial‑of‑service outcome is straightforward to achieve, while reliable code execution requires a complex combination of conditions. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to control the TLS server and send a malformed stapled response to a client that has OCSP stapling enabled. The attack surface is therefore limited to TLS clients that have enabled this feature, and the attacker must first be able to establish a TLS connection to the client.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenSSL

unaffected

Version	Status	Constraints
`4.0.0`	affected	< 4.0.1
`3.6.0`	affected	< 3.6.3

No data.

Vendor Product Confidence Versions

Openssl

100%

Version	Status	Scheme	Platform
`[4.0.0,4.0.1)`	affected	semver	—
`[3.6.0,3.6.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disable OCSP stapling in client configurations unless the feature is required.
Update the OpenSSL library to the latest stable release as soon as an official patch becomes available.
Monitor TLS traffic for anomalous OCSP stapled responses and block traffic from unknown or misbehaving servers.

Generated by OpenCVE AI on June 9, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/openssl/security/commit/131145d25659e8749a9ed1afb383484854cffb78
https://github.com/openssl/security/commit/78d0154cffda03aaaac63a087cc523a6b35fa8fd
https://openssl-library.org/news/secadv/20260609.txt

History

Tue, 09 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openssl Openssl openssl
Vendors & Products		Openssl Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Issue summary: A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, triggering a double-free in the client's certificate verification path. Impact summary: Successful exploitation allows an attacker to corrupt heap memory via a double-free, potentially leading to a Denial of Service or possibly an attacker controlled code execution or other undefined behavior. If OCSP stapling is enabled and the TLS client connects to a malicious server, a crafted OCSP stapled response can trigger a double free in the TLS client when the stapled response is checked. The OCSP stapling is not enabled by default. Reliable code execution through a double-free is technically complex and highly environment-dependent but the Denial of Service impact is straightforward to achieve, warranting Moderate severity. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.
Title		Double-free When Checking OCSP Stapled Response
Weaknesses		CWE-415
References		https://github.com/openssl/security/commit/131145d25659e8749a9ed1afb383484854cffb78 https://github.com/openssl/security/commit/78d0154cffda03aaaac63a087cc523a6b35fa8fd https://openssl-library.org/news/secadv/20260609.txt

Subscriptions

Openssl Openssl

MITRE

Status: PUBLISHED

Assigner: openssl

Published: 2026-06-09T16:03:24.395Z

Updated: 2026-06-09T16:03:24.395Z

Reserved: 2026-04-01T17:36:26.323Z

Link: CVE-2026-35188

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:05.437

Modified: 2026-06-09T19:38:32.463

Link: CVE-2026-35188

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T17:45:09Z

Weaknesses

CWE-415

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object