Vulnerability-Lookup

MSRC_CVE-2026-7383

Vulnerability from csaf_microsoft - Published: 2026-06-02 00:00 - Updated: 2026-06-13 01:03

Summary

Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-7383

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 - Out-of-bounds Write

Affected products

Known affected 9 products

Product	Version	Remediation
Unresolved product id: 17084-9	—	None Available
Unresolved product id: 17084-1	—	None Available
Unresolved product id: 17084-5	—	None Available
Unresolved product id: 17084-8	—	None Available
Unresolved product id: 17084-4	—	None Available
Unresolved product id: 17084-3	—	None Available
Unresolved product id: 17084-2	—	None Available
Unresolved product id: 17084-7	—	None Available
Unresolved product id: 17084-6	—	None Available

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-7383 Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-7383.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion",
    "tracking": {
      "current_release_date": "2026-06-13T01:03:46.000Z",
      "generator": {
        "date": "2026-06-13T07:03:13.179Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-7383",
      "initial_release_date": "2026-06-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-06-13T01:03:46.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 cloud-hypervisor 0:51.1.56-1.azl3",
                "product": {
                  "name": "azl3 cloud-hypervisor 0:51.1.56-1.azl3",
                  "product_id": "9"
                }
              }
            ],
            "category": "product_name",
            "name": "cloud-hypervisor"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 edk2 0:20240524git3e722403cd16-17.azl3",
                "product": {
                  "name": "azl3 edk2 0:20240524git3e722403cd16-17.azl3",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "edk2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 nodejs 0:24.14.1-3.azl3",
                "product": {
                  "name": "azl3 nodejs 0:24.14.1-3.azl3",
                  "product_id": "5"
                }
              }
            ],
            "category": "product_name",
            "name": "nodejs"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 openssl 0:3.3.5-5.azl3",
                "product": {
                  "name": "azl3 openssl 0:3.3.5-5.azl3",
                  "product_id": "8"
                }
              }
            ],
            "category": "product_name",
            "name": "openssl"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 qemu 0:9.1.0-7.azl3",
                "product": {
                  "name": "azl3 qemu 0:9.1.0-7.azl3",
                  "product_id": "4"
                }
              }
            ],
            "category": "product_name",
            "name": "qemu"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 rust 0:1.75.0-29.azl3",
                "product": {
                  "name": "azl3 rust 0:1.75.0-29.azl3",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 rust 0:1.90.0-8.azl3",
                "product": {
                  "name": "azl3 rust 0:1.90.0-8.azl3",
                  "product_id": "2"
                }
              }
            ],
            "category": "product_name",
            "name": "rust"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 shim-unsigned-aarch64 0:16.1-2.azl3",
                "product": {
                  "name": "azl3 shim-unsigned-aarch64 0:16.1-2.azl3",
                  "product_id": "7"
                }
              }
            ],
            "category": "product_name",
            "name": "shim-unsigned-aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 shim-unsigned-x64 0:16.1-2.azl3",
                "product": {
                  "name": "azl3 shim-unsigned-x64 0:16.1-2.azl3",
                  "product_id": "6"
                }
              }
            ],
            "category": "product_name",
            "name": "shim-unsigned-x64"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 cloud-hypervisor 0:51.1.56-1.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-9"
        },
        "product_reference": "9",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 edk2 0:20240524git3e722403cd16-17.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 nodejs 0:24.14.1-3.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 openssl 0:3.3.5-5.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-8"
        },
        "product_reference": "8",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 qemu 0:9.1.0-7.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 rust 0:1.75.0-29.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 rust 0:1.90.0-8.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 shim-unsigned-aarch64 0:16.1-2.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-7"
        },
        "product_reference": "7",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 shim-unsigned-x64 0:16.1-2.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-7383",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "category": "general",
          "text": "openssl",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_affected": [
          "17084-9",
          "17084-1",
          "17084-5",
          "17084-8",
          "17084-4",
          "17084-3",
          "17084-2",
          "17084-7",
          "17084-6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-7383 Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-7383.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2026-06-13T01:03:46.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-9"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-06-13T01:03:46.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-1"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-06-13T01:03:46.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-5"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-06-13T01:03:46.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-8"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-06-13T01:03:46.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-4"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-06-13T01:03:46.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-3"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-06-13T01:03:46.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-2"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-06-13T01:03:46.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-7"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-06-13T01:03:46.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-6"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 8.1,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "17084-9",
            "17084-1",
            "17084-5",
            "17084-8",
            "17084-4",
            "17084-3",
            "17084-2",
            "17084-7",
            "17084-6"
          ]
        }
      ],
      "title": "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion"
    }
  ]
}

CVE-2026-7383 (GCVE-0-2026-7383)

Vulnerability from cvelistv5 – Published: 2026-06-09 16:03 – Updated: 2026-06-10 07:47

Title

Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion

Summary

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-787 - Out-of-bounds Write

Assigner

openssl

References

6 references

URL	Tags
https://openssl-library.org/news/secadv/20260609.txt	vendor-advisory
https://github.com/openssl/openssl/commit/d32350a…	patch
https://github.com/openssl/openssl/commit/c332ada…	patch
https://github.com/openssl/openssl/commit/80c15fa…	patch
https://github.com/openssl/openssl/commit/4f8d2bd…	patch
https://github.com/openssl/openssl/commit/bd17511…	patch

Impacted products

1 product

Vendor	Product	Version
OpenSSL	OpenSSL	Affected: 4.0.0 , < 4.0.1 (semver) Affected: 3.6.0 , < 3.6.3 (semver) Affected: 3.5.0 , < 3.5.7 (semver) Affected: 3.4.0 , < 3.4.6 (semver) Affected: 3.0.0 , < 3.0.21 (semver) Affected: 1.1.1 , < 1.1.1zh (custom) Affected: 1.0.2 , < 1.0.2zq (custom)

Date Public

2026-06-09 14:00

Credits

Zehua Qiao Jinwen He Viktor Dukhovni

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-7383",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T03:58:57.944Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.6.3",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5.7",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.6",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.21",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.1.1zh",
              "status": "affected",
              "version": "1.1.1",
              "versionType": "custom"
            },
            {
              "lessThan": "1.0.2zq",
              "status": "affected",
              "version": "1.0.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Zehua Qiao"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "Jinwen He"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Viktor Dukhovni"
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: A signed integer overflow when sizing the destination\u003cbr\u003ebuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\u003cbr\u003ebuffer overflow.\u003cbr\u003e\u003cbr\u003eImpact summary: A heap buffer overflow may lead to a crash or possibly\u003cbr\u003eattacker controlled code execution or other undefined behaviour.\u003cbr\u003e\u003cbr\u003eIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\u003cbr\u003esize for Unicode output is computed in a signed int: by left shift\u003cbr\u003eof the input character count for BMPSTRING (UTF-16) and\u003cbr\u003eUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\u003cbr\u003efor UTF8STRING. The calculation overflows when the input reaches\u003cbr\u003earound 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\u003cbr\u003echaracters) the size wraps to zero, OPENSSL_malloc(1) is called, and\u003cbr\u003ethe subsequent character copy writes several gigabytes past the\u003cbr\u003eone-byte allocation.\u003cbr\u003e\u003cbr\u003eX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\u003cbr\u003ewhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\u003cbr\u003esize limits cap the input length; no network protocol or\u003cbr\u003ecertificate-handling path in OpenSSL exercises the overflow.\u003cbr\u003eTriggering the bug requires an application that calls\u003cbr\u003eASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\u003cbr\u003ea custom string type via ASN1_STRING_TABLE_add(), with\u003cbr\u003eattacker-controlled input on the order of half a gigabyte or more.\u003cbr\u003eFor these reasons this issue was assigned Low severity.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\u003cbr\u003ethis issue, as the affected code is outside the OpenSSL FIPS module\u003cbr\u003eboundary."
            }
          ],
          "value": "Issue summary: A signed integer overflow when sizing the destination\nbuffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap\nbuffer overflow.\n\nImpact summary: A heap buffer overflow may lead to a crash or possibly\nattacker controlled code execution or other undefined behaviour.\n\nIn ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination\nsize for Unicode output is computed in a signed int: by left shift\nof the input character count for BMPSTRING (UTF-16) and\nUNIVERSALSTRING (UTF-32), and by summing per-character byte counts\nfor UTF8STRING. The calculation overflows when the input reaches\naround 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30\ncharacters) the size wraps to zero, OPENSSL_malloc(1) is called, and\nthe subsequent character copy writes several gigabytes past the\none-byte allocation.\n\nX.509 certificate processing routes through ASN1_STRING_set_by_NID(),\nwhose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID\nsize limits cap the input length; no network protocol or\ncertificate-handling path in OpenSSL exercises the overflow.\nTriggering the bug requires an application that calls\nASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers\na custom string type via ASN1_STRING_TABLE_add(), with\nattacker-controlled input on the order of half a gigabyte or more.\nFor these reasons this issue was assigned Low severity.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by\nthis issue, as the affected code is outside the OpenSSL FIPS module\nboundary."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Low"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T07:47:47.578Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20260609.txt"
        },
        {
          "name": "4.0.1 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/d32350ae8ef7426718f5aa9e383d4b51398ee255"
        },
        {
          "name": "3.6.3 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/c332adaced43bcbb85f97410597e951c11ec3083"
        },
        {
          "name": "3.5.7 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/80c15faaf78042bbb8654a0e234c50c381732f74"
        },
        {
          "name": "3.4.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6"
        },
        {
          "name": "3.0.21 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/bd17511070fb39a67bfa19682affb765e706a974"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Possible Heap Buffer Overflow in ASN.1 Multibyte String Conversion",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2026-7383",
    "datePublished": "2026-06-09T16:03:15.508Z",
    "dateReserved": "2026-04-29T08:21:07.253Z",
    "dateUpdated": "2026-06-10T07:47:47.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2026-7383

CVE-2026-7383 (GCVE-0-2026-7383)

Tags

Sightings

Nomenclature