How is CVE-2026-7383 exploited?

Network reachability (required): The CVSS vector is AV:N, meaning an attacker must be able to reach the vulnerable service over the network to supply the oversized input. Authentication (not-required): PR:N indicates no account or credential is needed before sending the malformed input. Victim interaction (not-required): UI:N means the attack does not depend on any user action such as clicking a link or opening a file. Attack complexity (info): AC:H reflects that exploitation depends on environmental factors beyond attacker control, specifically that the target application must call ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly with attacker-supplied input of roughly half a gigabyte or more, a condition absent from standard OpenSSL certificate-handling code paths.

What is the impact of CVE-2026-7383?

A successful exploit crashes the affected process by writing several gigabytes past a one-byte heap allocation, causing a denial of service for any workload relying on that process. Where the memory corruption is shaped precisely enough, an attacker achieves arbitrary code execution within the process, gaining the same OS-level privileges as the running service. Any secrets or data held in process memory at the time of exploitation, such as private keys or session credentials, become accessible to the attacker.

Back to search

HIGHCVE-2026-7383Published 2026-06-09Modified 2026-06-10CNA openssl

CVE-2026-7383: Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 1.0.2zq
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap buffer overflow affects the ASN.1 multibyte string conversion functions ASN1_mbstring_copy() and ASN1_mbstring_ncopy() in OpenSSL. The vulnerability is reachable over the network without authentication, but exploitation requires an application that calls those functions directly with attacker-controlled input exceeding roughly half a gigabyte in length, a condition not met by standard OpenSSL certificate-handling paths. Successful exploitation can crash the process or allow attacker-controlled code execution. Patched-image rebuilds at versions 1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, and 3.5.7 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-7383 is available across every HarborGuard environment, with ingestion from upstream feeds (including the OpenSSL CNA advisory) occurring within minutes of publication and matching performed against all images in customer registries and CI pipelines, including custom-built images that bundle OpenSSL directly. This coverage applies regardless of whether the image is based on a public base layer or a privately maintained one.

Available

Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and applies per-environment compliance policy weighting to reflect the constrained real-world exploitability described in the advisory before routing findings to the appropriate team inbox within each customer organization. Triage notes surface the key context that standard X.509 certificate paths do not exercise the overflow, helping teams prioritize against other open findings.

Available

Patch

A patched-image rebuild at the applicable fix version (1.0.2zq, 1.1.1zh, 3.0.21, 3.4.6, or 3.5.7 depending on the OpenSSL branch in use) becomes available in HarborGuard once the upstream package is published. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The CVSS vector is AV:N, meaning an attacker must be able to reach the vulnerable service over the network to supply the oversized input.
AuthenticationNot required
PR:N indicates no account or credential is needed before sending the malformed input.
Victim interactionNot required
UI:N means the attack does not depend on any user action such as clicking a link or opening a file.
Attack complexityDetail
AC:H reflects that exploitation depends on environmental factors beyond attacker control, specifically that the target application must call ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly with attacker-supplied input of roughly half a gigabyte or more, a condition absent from standard OpenSSL certificate-handling code paths.

Blast Radius

A successful exploit crashes the affected process by writing several gigabytes past a one-byte heap allocation, causing a denial of service for any workload relying on that process.
Where the memory corruption is shaped precisely enough, an attacker achieves arbitrary code execution within the process, gaining the same OS-level privileges as the running service.
Any secrets or data held in process memory at the time of exploitation, such as private keys or session credentials, become accessible to the attacker.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of advisory ingestion and matches against all images in customer registries and pipelines, including privately built images that vendor OpenSSL. Because fix versions exist across the active OpenSSL branches, a patched-image rebuild becomes available as soon as the upstream package lands, with no manual intervention required. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the corrected version, runs a regression-test pass, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Teams that cannot immediately rebuild should review whether any internal application calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly with externally sourced input, since standard certificate-handling paths in OpenSSL do not trigger the overflow. Where compliance policy permits, network-policy controls that cap maximum request body sizes can reduce exposure while a rebuild is prepared.

See how HarborGuard automates this

Fix available

1.0.2zq1.1.1zh3.0.213.4.63.5.73.6.34.0.1

Patch commits

Affected packages

OpenSSL / OpenSSL
< 4.0.1 (from 4.0.0) · < 3.6.3 (from 3.6.0) · < 3.5.7 (from 3.5.0) · < 3.4.6 (from 3.4.0) · < 3.0.21 (from 3.0.0) · < 1.1.1zh (from 1.1.1)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available