CVE-2026-28387 [High] | Use-After-Free in Openssl

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-04-08	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-04-08

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.1	3.1	HIGH	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.2	5.9	[email protected]
8.1	3.1	HIGH	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.2	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.1

3.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.2

5.9

[email protected]

8.1

3.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.2

5.9

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2026-28387

vendor	priority	summary	link
`alpine`	—	CVE-2026-28387: 1 source package rows (openssl); 5 state rows across 5 repos (3.20-main, 3.21-main, 3.22-main, 3.23-main, edge-main); fixed 5, open 0.	https://security.alpinelinux.org/vuln/CVE-2026-28387
`debian`	not yet assigned	CVE-2026-28387 not yet assigned priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-28387
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2026-28387
`suse`	medium	CVE-2026-28387 severity moderate: SUSE including 395 source package names (1.1.2-2.16:libopenssl3-3.2.3-150700.5.31.1, 1.1.2-2.16:openssl-3-3.2.3-150700.5.31.1, …), 749 product×package rows across 97 product lines (Container private-registry/harbor-core, Container private-registry/harbor-exporter, … (97 product lines)): Fixed 416, Known Affected 231, Known Not Affected 87, First Fixed 15.	https://www.suse.com/security/cve/CVE-2026-28387/
`ubuntu`	low	CVE-2026-28387 low priority: Ubuntu including 5 source packages (edk2, nodejs, openssl, openssl-fips, openssl1.0), 37 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): needs-triage 13, DNE 8, not-affected 8, released 7, needed 1.	https://ubuntu.com/security/CVE-2026-28387

Affected software / configurations for CVE-2026-28387

Vendor	Product	Version	Raw CPE
openssl	openssl	>= 1.1.1, < 1.1.1zg	cpe:2.3:a:openssl:openssl::::::::
openssl	openssl	>= 3.0.0, < 3.0.20	cpe:2.3:a:openssl:openssl::::::::
openssl	openssl	>= 3.3.0, < 3.3.7	cpe:2.3:a:openssl:openssl::::::::
openssl	openssl	>= 3.4.0, < 3.4.5	cpe:2.3:a:openssl:openssl::::::::
openssl	openssl	>= 3.5.0, < 3.5.6	cpe:2.3:a:openssl:openssl::::::::
openssl	openssl	>= 3.6.0, < 3.6.2	cpe:2.3:a:openssl:openssl::::::::

References for CVE-2026-28387

URL	Tags
https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b	Patch
https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe	Patch
https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3	Patch
https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7	Patch
https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177	Patch
https://openssl-library.org/news/secadv/20260407.txt	Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html
https://cert-portal.siemens.com/productcert/html/ssa-265688.html

URL

CVE-2026-28387 | Potential Use-after-free in DANE Client Code

Exploit prediction scoring system (EPSS) score for CVE-2026-28387

Common vulnerability scoring system (CVSS) metrics for CVE-2026-28387

Weakness enumeration for CVE-2026-28387

GitHub Security Advisory for CVE-2026-28387

OS Trackers for CVE-2026-28387

Affected software / configurations for CVE-2026-28387

References for CVE-2026-28387