{"id":"CVE-2026-7383","summary":"Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion","details":"Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary.","modified":"2026-06-12T12:29:09.526130368Z","published":"2026-06-09T16:03:15.508Z","related":["ALSA-2026:25237","ALSA-2026:25239","CGA-9q73-qf7g-7g7m"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7383.json","cna_assigner":"openssl","cwe_ids":["CWE-787"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7383.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7383"},{"type":"ADVISORY","url":"https://openssl-library.org/news/secadv/20260609.txt"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255"},{"type":"FIX","url":"https://github.com/openssl/security/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6"},{"type":"FIX","url":"https://github.com/openssl/security/commit/80c15faaf78042bbb8654a0e234c50c381732f74"},{"type":"FIX","url":"https://github.com/openssl/security/commit/bd17511070fb39a67bfa19682affb765e706a974"},{"type":"FIX","url":"https://github.com/openssl/security/commit/c332adaced43bcbb85f97410597e951c11ec3083"},{"type":"FIX","url":"https://github.com/openssl/security/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"11b7b6ea3b65a584e1d31408ed1bdb139465cffd"},{"fixed":"1e963a8680ec78ad2072792c7a1a71f3c530bd2e"},{"introduced":"7b371d80d959ec9ab4139d09d78e83c090de9779"},{"fixed":"aae016bfd52fcad2bc9657c2c782cfdf73b1ed5f"},{"introduced":"636dfadc70ce26f2473870570bfd9ec352806b1d"},{"fixed":"8cf17aaeb4599f8af87fefd810b5b5fee90fe69e"},{"introduced":"98acb6b02839c609ef5b837794e08d906d965335"},{"fixed":"c5ea1cc227fd60afae8ac4b9438690bbe4888f79"},{"introduced":"89cd17a031e022211684eb7eb41190cf1910f9fa"},{"fixed":"51ea949dc1436e865935b47874b21a3bb31a102e"},{"introduced":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"fixed":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"introduced":"e818b74be2170fbe957a07b0da4401c2b694b3b8"},{"fixed":"e818b74be2170fbe957a07b0da4401c2b694b3b8"}],"database_specific":{"extracted_events":[{"introduced":"4.0.0"},{"fixed":"4.0.1"},{"introduced":"3.6.0"},{"fixed":"3.6.3"},{"introduced":"3.5.0"},{"fixed":"3.5.7"},{"introduced":"3.4.0"},{"fixed":"3.4.6"},{"introduced":"3.0.0"},{"fixed":"3.0.21"},{"introduced":"1.1.1"},{"fixed":"1.1.1zh"},{"introduced":"1.0.2"},{"fixed":"1.0.2zq"}],"source":"AFFECTED_FIELD"}}],"versions":["openssl-4.0.0","openssl-3.0.20","openssl-3.4.5","openssl-3.5.6","openssl-3.6.2","openssl-3.0.19","openssl-3.4.4","openssl-3.5.5","openssl-3.6.1","3.4-POST-CLANG-FORMAT-WEBKIT","3.0-POST-CLANG-FORMAT-WEBKIT","3.4-PRE-CLANG-FORMAT-WEBKIT","3.5-POST-CLANG-FORMAT-WEBKIT","3.0-PRE-CLANG-FORMAT-WEBKIT","3.5-PRE-CLANG-FORMAT-WEBKIT","3.6-POST-CLANG-FORMAT-WEBKIT","3.6-PRE-CLANG-FORMAT-WEBKIT","openssl-3.6.0","openssl-3.0.18","openssl-3.4.3","openssl-3.5.4","openssl-3.5.3","openssl-3.5.2","openssl-3.0.17","openssl-3.4.2","openssl-3.5.1","openssl-3.5.0","openssl-3.0.16","openssl-3.4.1","openssl-3.4.0","openssl-3.0.15","openssl-3.0.14","openssl-3.0.13","openssl-3.0.12","openssl-3.0.11","openssl-3.0.10","openssl-3.0.9","openssl-3.0.8","openssl-3.0.7","openssl-3.0.6","openssl-3.0.5","openssl-3.0.4","openssl-3.0.3","openssl-3.0.2","openssl-3.0.1","openssl-3.0.0"],"database_specific":{"vanir_signatures_modified":"2026-06-11T08:15:16Z","vanir_signatures":[{"id":"CVE-2026-7383-c377fa22","digest":{"threshold":0.9,"line_hashes":["28170854778703993674264004058177114599","73132526844288570625317440636111911761","177405411499435185068645597737938634778","224809958623850711330610094965797758930","295554444428855106393106961197201359586"]},"signature_version":"v1","target":{"file":"include/openssl/opensslv.h"},"source":"https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86","signature_type":"Line","deprecated":false},{"id":"CVE-2026-7383-e051451f","digest":{"threshold":0.9,"line_hashes":["251633914150035957322733061977107206211","338514574181828579838011565939158652696","76638288692106140328510055542557597351","142922657400765574308962710386922248045","71649992455794854055653842592139575350","65527166711110472566013424527579064967","253196866009476977787139000804413898733","172177136897997206866313011107384691461"]},"signature_version":"v1","target":{"file":"crypto/opensslv.h"},"source":"https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8","signature_type":"Line","deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-7383.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}