Bug 2481879 (CVE-2026-7383) - CVE-2026-7383 openssl: OpenSSL: Heap buffer overflow due to signed integer overflow in Unicode output sizing
Summary: CVE-2026-7383 openssl: OpenSSL: Heap buffer overflow due to signed integer ov...
Keywords:
Status: NEW
Alias: CVE-2026-7383
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 13:10 UTC by OSIDB Bzimport
Modified: 2026-06-11 12:34 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:25237 0 None None None 2026-06-11 12:31:54 UTC
Red Hat Product Errata RHSA-2026:25239 0 None None None 2026-06-11 12:34:22 UTC

Description OSIDB Bzimport 2026-05-27 13:10:11 UTC 
Severity: Low

Issue summary: A signed integer overflow when sizing the destination
buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap
buffer overflow.

Impact summary: A heap buffer overflow may lead to a crash or possibly
attacker controlled code execution or other undefined behaviour.

In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination
size for Unicode output is computed in a signed int: by left shift
of the input character count for BMPSTRING (UTF-16) and
UNIVERSALSTRING (UTF-32), and by summing per-character byte counts
for UTF8STRING. The calculation overflows when the input reaches
around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30
characters) the size wraps to zero, OPENSSL_malloc(1) is called, and
the subsequent character copy writes several gigabytes past the
one-byte allocation.

X.509 certificate processing routes through ASN1_STRING_set_by_NID(),
whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID
size limits cap the input length; no network protocol or
certificate-handling path in OpenSSL exercises the overflow.
Triggering the bug requires an application that calls
ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers
a custom string type via ASN1_STRING_TABLE_add(), with
attacker-controlled input on the order of half a gigabyte or more.
For these reasons this issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by
this issue, as the affected code is outside the OpenSSL FIPS module
boundary.

OpenSSL 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1 and 1.0.2 are vulnerable to
this issue.

OpenSSL 4.0 users should upgrade to OpenSSL 4.0.1.
OpenSSL 3.6 users should upgrade to OpenSSL 3.6.3.
OpenSSL 3.5 users should upgrade to OpenSSL 3.5.7.
OpenSSL 3.4 users should upgrade to OpenSSL 3.4.6.
OpenSSL 3.0 users should upgrade to OpenSSL 3.0.21.
OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1zh.
(premium support customers only).
OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zq.
(premium support customers only).

This issue was reported on 27th February 2026 by Zehua Qiao and Jinwen He.
The fix was developed by Viktor Dukhovni.
Comment 2 errata-xmlrpc 2026-06-11 12:31:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:25237 https://access.redhat.com/errata/RHSA-2026:25237
Comment 3 errata-xmlrpc 2026-06-11 12:34:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:25239 https://access.redhat.com/errata/RHSA-2026:25239
Note You need to log in before you can comment on or make changes to this bug.