CVE-2026-34180
Publication date 9 June 2026
Last updated 18 June 2026
Ubuntu priority
Description
Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Read the notes from the security team
Why is this CVE low priority?
OpenSSL developers have rated this as being low severity
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| edk2 | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| nodejs | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 14.04 LTS trusty |
Not affected
|
|
| openssl | 26.04 LTS resolute |
Fixed 3.5.5-1ubuntu3.2
|
| 25.10 questing |
Fixed 3.5.3-1ubuntu3.4
|
|
| 24.04 LTS noble |
Fixed 3.0.13-0ubuntu3.11
|
|
| 22.04 LTS jammy |
Fixed 3.0.2-0ubuntu1.25
|
|
| 20.04 LTS focal |
Fixed 1.1.1f-1ubuntu2.24+esm4
|
|
| 18.04 LTS bionic |
Fixed 1.1.1-1ubuntu2.1~18.04.23+esm9
|
|
| 16.04 LTS xenial |
Fixed 1.0.2g-1ubuntu4.20+esm16
|
|
| 14.04 LTS trusty |
Fixed 1.0.1f-1ubuntu2.27+esm14
|
|
| openssl-fips | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| openssl1.0 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Fixed 1.0.2n-1ubuntu5.13+esm5
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
mdeslaur
edk2 in jammy embeds OpenSSL 1.1.1j edk2 in noble embeds OpenSSL 3.0.9 edk2 in plucky embeds OpenSSL 3.4.0 edk2 in questing embeds OpenSSL 3.4.0 nodejs in jammy embeds OpenSSL 1.1.1m OpenSSL 4.0, 3.6, 3.5, 3.4, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.5 · High
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Related Ubuntu Security Notices (USN)
- USN-8414-2
- OpenSSL vulnerabilities
- 9 June 2026
- USN-8414-1
- OpenSSL vulnerabilities
- 9 June 2026