Cyber Resilience

CVE-2026-35188

MediumUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 5.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0024 15.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-35188 is a medium-severity Double Free (CWE-415) vulnerability in Openssl Openssl. Its CVSS base score is 5.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Issue summary: A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, triggering a double-free in the client's certificate verification path. Impact summary: Successful exploitation allows an attacker to corrupt heap memory via…

more

a double-free, potentially leading to a Denial of Service or possibly an attacker controlled code execution or other undefined behavior. If OCSP stapling is enabled and the TLS client connects to a malicious server, a crafted OCSP stapled response can trigger a double free in the TLS client when the stapled response is checked. The OCSP stapling is not enabled by default. Reliable code execution through a double-free is technically complex and highly environment-dependent but the Denial of Service impact is straightforward to achieve, warranting Moderate severity. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Double-free memory corruption in TLS client during OCSP stapling verification enables remote code execution on client via malicious server response.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28387Same product: Openssl Openssl
CVE-2025-69419Same product: Openssl Openssl
CVE-2025-15467Same product: Openssl Openssl
CVE-2026-31789Same product: Openssl Openssl
CVE-2026-42769Same product: Openssl Openssl
CVE-2026-28386Same product: Openssl Openssl
CVE-2023-0464Same product: Openssl Openssl
CVE-2026-34180Same product: Openssl Openssl
CVE-2026-28388Same product: Openssl Openssl
CVE-2026-45447Same product: Openssl Openssl

Affected Assets

openssl
openssl
4.0.0 · 3.6.0 — 3.6.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248590 OL 8 must clear the page allocator to prevent use-after-free attacks. via CWE-415

References