CVE-2026-34180: Heap Buffer Over-read in ASN.1 Content Parsing
Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 1.0.2zq
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A heap buffer over-read in OpenSSL's ASN.1 decoder affects applications on 64-bit Unix and Unix-like platforms that pass attacker-supplied data to OpenSSL's d2i_* family of decoding functions (such as d2i_X509 or d2i_PKCS7). The vulnerability is reachable over the network with no authentication required, and successful exploitation crashes the application or causes OpenSSL to read memory beyond the end of the input buffer. Patched-image rebuilds at versions 1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, and 3.5.7 are available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection capability for CVE-2026-34180 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle an affected OpenSSL version, not just images pulled from public registries.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency and routing. Alerts are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at each applicable fix version (1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, or 3.5.7, matched to the version in the scanned image) becomes available through HarborGuard once the upstream package is published. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against it, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to send a crafted DER-encoded ASN.1 payload to the target service over the network; any application that accepts attacker-supplied input for d2i_* decoding functions and is exposed over the network is in scope.
- AuthenticationNot required
No credentials or account are needed; the crafted payload can be submitted by an unauthenticated party.
- Victim interactionNot required
No user action is required; the application processes the malicious input without any human interaction on the victim side.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and does not depend on race conditions, memory layout randomization, or other environmental preconditions beyond delivering a large crafted ASN.1 element.
Blast Radius
- Crashes the affected application process, taking down any service that relies on OpenSSL's ASN.1 decoding for certificate or PKCS7 processing.
- Causes OpenSSL to read memory contents beyond the end of the allocated input buffer, potentially exposing in-process data to the attacker via the decoded ASN.1 object output.
- Services handling TLS certificate validation, PKCS7 message parsing, or any other d2i_* decoding path are directly in the failure domain.
- 32-bit platforms and 64-bit Windows builds of OpenSSL are not affected; impact is scoped to 64-bit Unix and Unix-like systems only.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-34180 runs against all scanned images within minutes of CVE publication, covering both images pulled from public registries and custom-built images that vendor an affected OpenSSL version. For environments running an affected release line (3.4.x before 3.4.6, 3.5.x before 3.5.7, 3.0.x before 3.0.21, 1.1.1 before 1.1.1zh, or 1.0.2 before 1.0.2zq on 64-bit Unix), a patched-image rebuild at the appropriate fix version is available. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the triage alert is routed to the designated team inbox with the CVSS 7.5 HIGH score and fix-version details attached, so the responsible team can act without needing to hunt for context.
Fix available
- OpenSSL / OpenSSL< 4.0.1 (from 4.0.0) · < 3.6.3 (from 3.6.0) · < 3.5.7 (from 3.5.0) · < 3.4.6 (from 3.4.0) · < 3.0.21 (from 3.0.0) · < 1.1.1zh (from 1.1.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H