U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2026-28387 Detail

Description

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://cert-portal.siemens.com/productcert/html/ssa-032379.html siemens-SADP
https://cert-portal.siemens.com/productcert/html/ssa-265688.html siemens-SADP
https://github.com/openssl/openssl/commit/07e727d304746edb49a98ee8f6ab00256e1f012b OpenSSL Software Foundation Patch 
https://github.com/openssl/openssl/commit/258a8f63b26995ba357f4326da00e19e29c6acbe OpenSSL Software Foundation Patch 
https://github.com/openssl/openssl/commit/444958deaf450aea819171f97ae69eaedede42c3 OpenSSL Software Foundation Patch 
https://github.com/openssl/openssl/commit/7a4e08cee62a728d32e60b0de89e6764339df0a7 OpenSSL Software Foundation Patch 
https://github.com/openssl/openssl/commit/ec03fa050b3346997ed9c5fef3d0e16ad7db8177 OpenSSL Software Foundation Patch 
https://openssl-library.org/news/secadv/20260407.txt OpenSSL Software Foundation Vendor Advisory 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-416 Use After Free OpenSSL Software Foundation  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2026-28387
NVD Published Date:
04/07/2026
NVD Last Modified:
05/12/2026
Source:
OpenSSL Software Foundation