{"id":"CVE-2026-35188","summary":"Double-free When Checking OCSP Stapled Response","details":"Issue summary: A malicious server can exploit TLS OCSP stapling by delivering\na crafted response through the status_request extension, triggering a\ndouble-free in the client's certificate verification path.\n\nImpact summary: Successful exploitation allows an attacker to corrupt heap\nmemory via a double-free, potentially leading to a Denial of Service or\npossibly an attacker controlled code execution or other undefined behavior.\n\nIf OCSP stapling is enabled and the TLS client connects to a malicious server,\na crafted OCSP stapled response can trigger a double free in the TLS client\nwhen the stapled response is checked.\n\nThe OCSP stapling is not enabled by default. Reliable code execution\nthrough a double-free is technically complex and highly environment-dependent\nbut the Denial of Service impact is straightforward to achieve, warranting\nModerate severity.\n\nNo FIPS modules are affected by this issue as the affected code is outside\nthe OpenSSL FIPS module boundary.","modified":"2026-07-08T08:12:58.750901543Z","published":"2026-06-09T16:03:24.395Z","related":["CGA-9rr4-3j45-jg93"],"database_specific":{"cna_assigner":"openssl","cwe_ids":["CWE-415"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35188.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35188.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35188"},{"type":"ADVISORY","url":"https://openssl-library.org/news/secadv/20260609.txt"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/131145d25659e8749a9ed1afb383484854cffb78"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/78d0154cffda03aaaac63a087cc523a6b35fa8fd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"7b371d80d959ec9ab4139d09d78e83c090de9779"},{"fixed":"aae016bfd52fcad2bc9657c2c782cfdf73b1ed5f"},{"introduced":"11b7b6ea3b65a584e1d31408ed1bdb139465cffd"},{"fixed":"131145d25659e8749a9ed1afb383484854cffb78"},{"fixed":"78d0154cffda03aaaac63a087cc523a6b35fa8fd"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING","REFERENCES"],"cpe":["cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","cpe:2.3:a:openssl:openssl:4.0.0:-:*:*:*:*:*:*"],"extracted_events":[{"introduced":"3.6.0"},{"fixed":"3.6.3"},{"introduced":"4.0.0-NA"},{"last_affected":"4.0.0-NA"}]}}],"versions":["4.0.0-NA","openssl-4.0.0","openssl-3.6.2","openssl-3.6.1","3.6-POST-CLANG-FORMAT-WEBKIT","3.6-PRE-CLANG-FORMAT-WEBKIT","openssl-3.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35188.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"}]}