CVE-2026-35188 Overview
CVE-2026-35188 is a double-free vulnerability [CWE-415] in OpenSSL's TLS client certificate verification path. A malicious server can deliver a crafted Online Certificate Status Protocol (OCSP) response through the TLS status_request extension. When the client processes the stapled response, it triggers a double-free condition in heap memory.
The vulnerability requires OCSP stapling to be enabled on the client, which is not the default configuration. Successful exploitation can cause a Denial of Service (DoS) or, in environment-dependent scenarios, attacker-controlled code execution. FIPS modules are not affected because the vulnerable code lies outside the OpenSSL FIPS module boundary.
Critical Impact
A malicious TLS server can corrupt heap memory in any OpenSSL client with OCSP stapling enabled, resulting in DoS and potentially arbitrary code execution.
Affected Products
- OpenSSL TLS client implementations with OCSP stapling enabled
- Applications using the OpenSSL status_request extension for certificate validation
- Non-FIPS OpenSSL deployments — FIPS module boundary code is unaffected
Discovery Timeline
- 2026-06-09 - OpenSSL publishes security advisory and commit fixes
- 2026-06-09 - CVE-2026-35188 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-35188
Vulnerability Analysis
The flaw resides in the TLS client code path that processes OCSP responses stapled by the server via the status_request extension. When the client validates the stapled response during certificate verification, an internal allocation tracking error causes the same heap buffer to be freed twice. Double-free conditions corrupt heap allocator metadata and can be leveraged to manipulate subsequent memory allocations.
A reachable double-free reliably produces process termination, making DoS straightforward to achieve against any OCSP-stapling-enabled TLS client. Weaponizing the condition into arbitrary code execution depends on the platform allocator, hardening flags, and the surrounding allocation patterns. OpenSSL classifies the issue as Moderate severity because exploitation for code execution is complex.
Root Cause
The defect is a memory management error categorized as [CWE-415] Double Free. Two distinct code paths release the same heap object during processing of the crafted OCSP response, leaving the freelist or allocator metadata in an inconsistent state. The relevant fixes are tracked in OpenSSL commits 131145d25659e8749a9ed1afb383484854cffb78 and 78d0154cffda03aaaac63a087cc523a6b35fa8fd.
Attack Vector
The attack is network-based. An attacker must operate or control a TLS server that the victim client connects to. During the TLS handshake, the malicious server returns a crafted CertificateStatus message containing a malformed OCSP response. When the client parses and verifies the stapled response, the double-free is triggered. The attacker does not need user interaction beyond inducing the client to connect, which is achievable via redirects, DNS tampering, or any service the attacker controls.
No verified public proof-of-concept exists at the time of publication. See the OpenSSL Security Advisory for technical details.
Detection Methods for CVE-2026-35188
Indicators of Compromise
- Unexpected crashes or SIGABRT/SIGSEGV signals in processes that perform outbound TLS with OCSP stapling enabled
- Heap allocator abort messages such as double free or corruption in application or system logs
- TLS client processes terminating immediately after status_request extension handling during handshake
Detection Strategies
- Inspect outbound TLS handshakes for CertificateStatus messages from untrusted servers and correlate with subsequent process crashes
- Audit OpenSSL-linked applications for the SSL_CTX_set_tlsext_status_type call to identify clients that have OCSP stapling enabled
- Compare deployed OpenSSL library versions against the fixed commits listed in the OpenSSL advisory
Monitoring Recommendations
- Forward libc and glibc malloc abort messages to centralized logging for correlation with TLS endpoints
- Alert on repeated crashes of the same TLS client process when connecting to previously unseen remote hosts
- Track TLS clients establishing connections to newly registered or low-reputation domains immediately before a process crash
How to Mitigate CVE-2026-35188
Immediate Actions Required
- Upgrade OpenSSL to the patched release referenced in the OpenSSL Security Advisory
- Inventory applications statically or dynamically linked against vulnerable OpenSSL versions and prioritize patching client-side TLS consumers
- Where patching is not immediately possible, disable OCSP stapling on TLS clients
Patch Information
The upstream fixes are applied in OpenSSL commits 131145d2 and 78d0154c. Distribution maintainers should backport both commits, and operators should rebuild or update any applications that statically link OpenSSL.
Workarounds
- Disable OCSP stapling on the TLS client by avoiding SSL_CTX_set_tlsext_status_type(ctx, TLSEXT_STATUSTYPE_ocsp) and equivalent API calls
- Restrict outbound TLS connections to known, trusted servers using egress filtering until patches are deployed
- Rely on the OpenSSL FIPS module for affected workflows where feasible, as the FIPS boundary code is not impacted
# Verify OpenSSL version and check whether OCSP stapling is requested by a client
openssl version -a
# Probe a server's stapled OCSP response (use only against trusted servers)
openssl s_client -connect example.com:443 -status -servername example.com < /dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
