CVE-2026-28387

/* * Conceptual PoC for CVE-2026-28387 * This C code snippet demonstrates the client configuration required to trigger the vulnerability. * It must be linked against a vulnerable version of OpenSSL. * The exploit requires a server presenting TLSA records with both PKIX (0/1) and DANE-TA (2) usages. */ #include <stdio.h> #include <openssl/ssl.h> #include <openssl/err.h> int main() { SSL_CTX *ctx; SSL *ssl; const char *hostname = "example.com"; // 1. Initialize OpenSSL SSL_library_init(); SSL_load_error_strings(); // 2. Create a generic client context ctx = SSL_CTX_new(TLS_client_method()); if (!ctx) { fprintf(stderr, "Error creating SSL context\n"); return 1; } // 3. Enable DANE verification (Vulnerable Configuration) // This enables the code path that processes TLSA records if (SSL_CTX_dane_enable(ctx) <= 0) { fprintf(stderr, "Error enabling DANE\n"); SSL_CTX_free(ctx); return 1; } // 4. Create SSL connection structure ssl = SSL_new(ctx); if (!ssl) { fprintf(stderr, "Error creating SSL structure\n"); SSL_CTX_free(ctx); return 1; } // 5. Set the hostname for DANE lookup (TLSA records) // If the DNS server returns mixed PKIX and DANE-TA records, // the following operations would trigger the UAF/Double-Free. SSL_set_tlsext_host_name(ssl, hostname); // Note: Actual connection logic to a malicious server is required to trigger the crash. // This code sets up the prerequisite state. printf("Vulnerable client configuration initialized. Connect to malicious server to exploit.\n"); SSL_free(ssl); SSL_CTX_free(ctx); return 0; }

{"cve": {"id": "CVE-2026-28387", "sourceIdentifier": "[email protected]", "published": "2026-04-07T22:16:20.700", "lastModified": "2026-05-12T13:17:33.270", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based\nserver authentication, when paired with uncommon server DANE TLSA records, may\nresult in a use-after-free and/or double-free on the client side.\n\nImpact summary: A use after free can have a range of potential consequences\nsuch as the corruption of valid data, crashes or execution of arbitrary code.\n\nHowever, the issue only affects clients that make use of TLSA records with both\nthe PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate\nusage.\n\nBy far the most common deployment of DANE is in SMTP MTAs for which RFC7672\nrecommends that clients treat as 'unusable' any TLSA records that have the PKIX\ncertificate usages. These SMTP (or other similar) clients are not vulnerable\nto this issue. Conversely, any clients that support only the PKIX usages, and\nignore the DANE-TA(2) usage are also not vulnerable.\n\nThe client would also need to be communicating with a server that publishes a\nTLSA RRset with both types of TLSA records.\n\nNo FIPS modules are affected by this issue, the problem code is outside the\nFIPS module boundary."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.1", "versionEndExcluding": "1.1.1zg", "matchCriteriaId": "656A0540-5825-498E-A7AB-C14976FEE45D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.20", "matchCriteriaId": "B28A8143-89A4-4332-A1F8-A65FB5AA829F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.7", "matchCriteriaId": "CF303B21-D9BF-461D-B7B0-A3FE1D557A9F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.5", "matchCriteriaId": "DCCE43D0-8F17-475D-9EE6-842F758A9905"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.6", "matchCriteriaId": "F6BC0271-444D-4597-BF05-DC60034EAA49"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0", "versionEndExcluding": "3.6.2", "matchCriteriaId": "4A9E621D-29D8-418A-BF37-BED333C14507"}]}]}], "references": [{"url": "https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://openssl-library.org/news/secadv/20260407.txt", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3f ... (truncated)