CVE-2026-7383

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1mbstringncopy() can lead to a heap buffer overflow.

Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour.

In ASN1mbstringcopy() and ASN1mbstringncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation.

X.509 certificate processing routes through ASN1STRINGsetbyNID(), whose DIRSTRINGTYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1mbstringcopy() or ASN1mbstringncopy() directly, or registers a custom string type via ASN1STRINGTABLEadd(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7383.json",
    "cwe_ids": [
        "CWE-787"
    ],
    "cna_assigner": "openssl"
}

References

Affected packages

Git / github.com/openssl/openssl

Affected ranges

Type

GIT

Repo

https://github.com/openssl/openssl

Events

Introduced

11b7b6ea3b65a584e1d31408ed1bdb139465cffd

Fixed

1e963a8680ec78ad2072792c7a1a71f3c530bd2e

Introduced

7b371d80d959ec9ab4139d09d78e83c090de9779

Fixed

aae016bfd52fcad2bc9657c2c782cfdf73b1ed5f

Introduced

636dfadc70ce26f2473870570bfd9ec352806b1d

Fixed

8cf17aaeb4599f8af87fefd810b5b5fee90fe69e

Introduced

98acb6b02839c609ef5b837794e08d906d965335

Fixed

c5ea1cc227fd60afae8ac4b9438690bbe4888f79

Introduced

89cd17a031e022211684eb7eb41190cf1910f9fa

Fixed

51ea949dc1436e865935b47874b21a3bb31a102e

Introduced

e04bd3433fd84e1861bf258ea37928d9845e6a86

Fixed

e04bd3433fd84e1861bf258ea37928d9845e6a86

Introduced

e818b74be2170fbe957a07b0da4401c2b694b3b8

Fixed

e818b74be2170fbe957a07b0da4401c2b694b3b8

Database specific

{
    "extracted_events": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.1"
        },
        {
            "introduced": "3.6.0"
        },
        {
            "fixed": "3.6.3"
        },
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.7"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.6"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.21"
        },
        {
            "introduced": "1.1.1"
        },
        {
            "fixed": "1.1.1zh"
        },
        {
            "introduced": "1.0.2"
        },
        {
            "fixed": "1.0.2zq"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

3.*

3.0-POST-CLANG-FORMAT-WEBKIT

3.0-PRE-CLANG-FORMAT-WEBKIT

3.4-POST-CLANG-FORMAT-WEBKIT

3.4-PRE-CLANG-FORMAT-WEBKIT

3.5-POST-CLANG-FORMAT-WEBKIT

3.5-PRE-CLANG-FORMAT-WEBKIT

3.6-POST-CLANG-FORMAT-WEBKIT

3.6-PRE-CLANG-FORMAT-WEBKIT

openssl-3.*

openssl-3.0.0

openssl-3.0.1

openssl-3.0.10

openssl-3.0.11

openssl-3.0.12

openssl-3.0.13

openssl-3.0.14

openssl-3.0.15

openssl-3.0.16

openssl-3.0.17

openssl-3.0.18

openssl-3.0.19

openssl-3.0.2

openssl-3.0.20

openssl-3.0.3

openssl-3.0.4

openssl-3.0.5

openssl-3.0.6

openssl-3.0.7

openssl-3.0.8

openssl-3.0.9

openssl-3.4.0

openssl-3.4.1

openssl-3.4.2

openssl-3.4.3

openssl-3.4.4

openssl-3.4.5

openssl-3.5.0

openssl-3.5.1

openssl-3.5.2

openssl-3.5.3

openssl-3.5.4

openssl-3.5.5

openssl-3.5.6

openssl-3.6.0

openssl-3.6.1

openssl-3.6.2

openssl-4.*

openssl-4.0.0

Database specific

vanir_signatures

[
    {
        "digest": {
            "line_hashes": [
                "28170854778703993674264004058177114599",
                "73132526844288570625317440636111911761",
                "177405411499435185068645597737938634778",
                "224809958623850711330610094965797758930",
                "295554444428855106393106961197201359586"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2026-7383-c377fa22",
        "signature_version": "v1",
        "target": {
            "file": "include/openssl/opensslv.h"
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86"
    },
    {
        "digest": {
            "line_hashes": [
                "251633914150035957322733061977107206211",
                "338514574181828579838011565939158652696",
                "76638288692106140328510055542557597351",
                "142922657400765574308962710386922248045",
                "71649992455794854055653842592139575350",
                "65527166711110472566013424527579064967",
                "253196866009476977787139000804413898733",
                "172177136897997206866313011107384691461"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2026-7383-e051451f",
        "signature_version": "v1",
        "target": {
            "file": "crypto/opensslv.h"
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-7383.json"

vanir_signatures_modified

"2026-06-11T08:15:16Z"