Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-7383

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-787 Escritura fuera de límites
Fecha de publicación:
09/06/2026
Última modificación:
16/06/2026

Descripción

*** Pendiente de traducción *** Issue summary: A signed integer overflow when sizing the destination<br /> buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap<br /> buffer overflow.<br /> <br /> Impact summary: A heap buffer overflow may lead to a crash or possibly<br /> attacker controlled code execution or other undefined behaviour.<br /> <br /> In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination<br /> size for Unicode output is computed in a signed int: by left shift<br /> of the input character count for BMPSTRING (UTF-16) and<br /> UNIVERSALSTRING (UTF-32), and by summing per-character byte counts<br /> for UTF8STRING. The calculation overflows when the input reaches<br /> around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30<br /> characters) the size wraps to zero, OPENSSL_malloc(1) is called, and<br /> the subsequent character copy writes several gigabytes past the<br /> one-byte allocation.<br /> <br /> X.509 certificate processing routes through ASN1_STRING_set_by_NID(),<br /> whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID<br /> size limits cap the input length; no network protocol or<br /> certificate-handling path in OpenSSL exercises the overflow.<br /> Triggering the bug requires an application that calls<br /> ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers<br /> a custom string type via ASN1_STRING_TABLE_add(), with<br /> attacker-controlled input on the order of half a gigabyte or more.<br /> For these reasons this issue was assigned Low severity.<br /> <br /> The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by<br /> this issue, as the affected code is outside the OpenSSL FIPS module<br /> boundary.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 1.0.2 (incluyendo) 1.0.2zq (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 1.1.1 (incluyendo) 1.1.1zh (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.0.0 (incluyendo) 3.0.21 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.4.0 (incluyendo) 3.4.6 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.5.0 (incluyendo) 3.5.7 (excluyendo)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 3.6.0 (incluyendo) 3.6.3 (excluyendo)
cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:*