// 3 ZERO-DAY · 2 CVE · 4 EXPLOIT IN THE LAST 24H
CVE-2026-35188 is a double-free in OpenSSL's OCSP stapling verification. ZDI calls it RCE; the official CVE record rates it Moderate. Patches are available in OpenSSL 3.6.3 and 4.0.1.

On July 15, 2026, Trend Micro published advisory ZDI-26-425 documenting a double-free vulnerability in the OpenSSL cryptographic library. The flaw, tracked as CVE-2026-35188, resides in the verification of OCSP stapling responses and allows remote arbitrary code execution when a TLS client connects to a malicious server. Patches are available in versions 3.6.3 and 4.0.1.

The case reveals a significant discrepancy: ZDI describes an RCE impact without qualification, while the official CVE record assigns a Moderate severity rating. The CVE record provides no numerical CVSS score. This gap between theoretical risk and official classification raises questions about how assessment metrics weigh real-world exploit complexity.

Key Takeaways
  • CVE-2026-35188 is a double-free in OpenSSL's OCSP stapling response verification, triggerable by a malicious TLS server delivering a crafted response.
  • ZDI declares RCE impact; the official CVE record assigns Moderate severity, citing the technical complexity of achieving reliable code execution.
  • The CVE record provides no explicit numerical CVSS score.
  • Official patches are released for OpenSSL 3.6.3 and 4.0.1.
  • OCSP stapling is not enabled by default in OpenSSL, and no FIPS modules are affected.
Key Stat

Moderate: the severity assigned by the official CVE record, despite the potential RCE declared by ZDI.

The Mechanism: How the Double-Free Works in OCSP Stapling

The flaw lies in the handling of OCSP stapling responses — the technique that allows a TLS server to attach a time-stamped OCSP responder response to its certificate chain. According to advisory ZDI-26-425: "The specific flaw exists within the processing of malformed OCSP responses. The issue results from the lack of validating the existence of an object prior to performing further free operations on the object."

The defect is classifiable as a double-free of memory. When the code executes the free operation twice on the same pointer without verifying the object's existence, the memory space is returned to the heap manager twice. This inconsistent state allows manipulation of the allocator's internal structures.

The CVE-2026-35188 record summarizes the vector: "A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, triggering a double-free in the client's certificate verification path." The condition requires that the client has explicitly enabled OCSP stapling — an option not active by default — and that it initiates a connection to a server under the attacker's control.

RCE Versus Moderate: Two Sources, Two Readings

FACT — ZDI Quote: "This vulnerability allows remote attackers to execute arbitrary code on affected installations of OpenSSL. User interaction is required to exploit this vulnerability in that the target must make a request to a malicious server."

FACT — CVE Quote: "Reliable code execution through a double-free is technically complex and highly environment-dependent but the Denial of Service impact is straightforward to achieve, warranting Moderate severity."

ANALYSIS: The two converging primary sources — ZDI and CVE — offer different readings of the same bug. ZDI emphasizes the RCE potential without caveats. The CVE record, by contrast, calibrates severity based on practical exploitability: DoS is immediate and deterministic, while reliable code execution depends on external variables beyond the attacker's control.

ANALYSIS: This divergence reveals an orientation of CVE metrics: severity does not measure the danger of the worst hypothetical scenario, but the likelihood of realization under standard conditions. For organizations, the signal is dual: the absence of a critical rating does not justify patching delays, and the DoS risk is real and verifiable.

SOURCE LIMITATION: With two converging primary sources but no documented in-the-wild exploit and no explicit numerical CVSS score, risk assessment remains partially indeterminate. The CVE record provides no numerical CVSS score.

The Exposure Perimeter

The required configuration limits the attack surface. The CVE-2026-35188 record states that "OCSP stapling is not enabled by default," excluding standard installations.

A further restriction emerges for regulated environments: "No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary." Organizations operating under FIPS 140 requirements do not see their compliance assessments compromised, provided they use the separately validated cryptographic modules.

What to Do Now

Official patches are released for OpenSSL 3.6.3 and 4.0.1. The CVE record links to the specific GitHub commits for both version lines.

A prudent approach for operators: verify whether OCSP stapling is actually enabled in your systems before prioritizing the intervention. Disabling the functionality, where not needed, removes the attack vector without requiring an immediate update.

Editorial Close

The CVE-2026-35188 case illustrates the tension inherent in vulnerability communication: between the technical precision of the advisory and the synthesis of the official metric. ZDI says RCE without reservation; CVE says Moderate, citing complexity. Neither is technically wrong, but neither tells the whole story. The CVE record provides no numerical CVSS score, leaving the judgment on the real risk profile open.

For decision-makers, the lesson is methodological: the official severity is a starting point, not a destination. When sources diverge and quantitative data is missing, risk assessment requires cross-reading the attestations and awareness of documented limits.

Information has been verified against cited sources and is current as of publication.

Sources


Sources and references
  1. zerodayinitiative.com
  2. cve.org
  3. trendmicro.com