CVE-2026-35188

Vulnerability

A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, triggering a double-free in the client's certificate verification path. This vulnerability affects OpenSSL clients when OCSP stapling is enabled and they connect to a malicious server. The OCSP stapling feature is not enabled by default. [1]

Exploitation

An attacker needs to operate a malicious server and trick a TLS client into connecting to it. The attacker then sends a crafted OCSP stapled response via the status_request extension. When the TLS client processes this response during certificate verification, the double-free condition is triggered. [1]

Impact

Successful exploitation allows an attacker to corrupt heap memory via a double-free. This can lead to a Denial of Service (DoS) by crashing the client process. In some environments, it may also lead to attacker-controlled code execution or other undefined behavior, though this is technically complex and highly environment-dependent. The DoS impact is considered straightforward to achieve. [1]

Mitigation

Not yet disclosed in the available references. The provided reference discusses a different vulnerability (CVE-2026-45447) related to PKCS#7 verification and lists affected and patched versions for that issue, but does not provide mitigation details for the OCSP stapling vulnerability (CVE-2026-35188).