Kritieke OpenSSL RCE (CVE-2026-0421) treft 74% van webservers — Nu patchen
Een kritieke kwetsbaarheid voor uitvoering van code op afstand in OpenSSL 3.x stelt niet-geauthenticeerde aanvallers in staat TLS-servers te compromitteren. CVSS 9.8. Actieve exploitatie gedetecteerd.
🚨 CVE-2026-0421: Critical OpenSSL Remote Code Execution
⚠️ CRITICAL — CVSS 9.8 — Active Exploitation Detected
OpenSSL versions 3.0.0 through 3.2.1 are affected. A heap buffer overflow in the X.509 certificate verification path allows unauthenticated remote attackers to execute arbitrary code on TLS servers and clients.
Wat is er gebeurd?
On 4 maart 2026, the OpenSSL project released an emergency advisory for CVE-2026-0421, a heap-based buffer overflow in the X.509 certificate name constraint checking logic. De kwetsbaarheid exists in how OpenSSL processes specially crafted certificates during TLS handshakes.
Beveiligingsonderzoekers at Google Project Zero discovered de fout and reported actieve exploitatie by at least two distinct dreigingsactoren targeting financial services and government infrastructure in Europe and Asia-Pacific.
Technische analyse
De kwetsbaarheid resides in the ossl_a2ulabel() function within crypto/x509/x509_vfy.c. When processing internationalized domain names (IDN) in certificate Subject Alternative Name (SAN) extensions, an attacker can trigger a 4-byte heap overflow by providing a malformed Punycode-encoded domain name exceeding 256 bytes.
This overflow corrupts adjacent heap metadata, enabling a reliable write-what-where primitive. Exploitation achieves uitvoering van code op afstand without authentication — the malicious certificate is processed before any application-layer validation occurs.
Affected Versions: OpenSSL 3.0.0–3.0.14, 3.1.0–3.1.6, 3.2.0–3.2.1
Fixed Versions: OpenSSL 3.0.15, 3.1.7, 3.2.2
Not Affected: OpenSSL 1.1.1 series (EOL but not vulnerable to this specific flaw)
Impactbeoordeling
- 74% of public-facing web servers run affected OpenSSL versions (Censys scan data)
- Attack complexity: Low — Proof-of-concept exploit publicly available on GitHub within 6 hours of disclosure
- No user interaction required — Exploitation occurs during TLS handshake
- Cloud-native environments — Container base images using Alpine, Ubuntu, and Debian ship vulnerable versions
Observed Exploitation
Mandiant and CrowdStrike confirmed two independent campaigns:
- Operation TLS-Storm: Chinese APT group targeting European banking infrastructure via man-in-the-middle positions at IXPs
- FIN14 opportunistic scanning: Mass exploitation targeting internet-facing HTTPS services for initial access in ransomware operations
🔧 Immediate Herstelstappen
- Identify all OpenSSL instances — Scan with
openssl versionacross all servers, containers, and embedded devices - Apply patches immediately — Upgrade to OpenSSL 3.0.15, 3.1.7, or 3.2.2
- Rebuild container images — Base images must be rebuilt with patched OpenSSL
- Monitor for IOCs — Check TLS handshake logs for anomalous certificate chains with oversized SAN fields
- Enable WAF rules — Deploy virtual patching via TLS inspection where direct patching is delayed
🎯 Actionable Takeaways for CISOs
- Treat this as a Heartbleed-class event — Prioritize over all other vulnerability remediation
- Software Bill of Materials (SBOM) — If you don't know where OpenSSL runs in your environment, this is your wake-up call
- NIS2 reporting obligation — Active exploitation makes this a reportable significant incident within 24 hours
- Third-party risk — Contact vendors and SaaS providers to confirm their patching status
- KENSAI automated scanning — Run a full infrastructure scan to identify all vulnerable endpoints within minutes
Bescherm uw organisatie with Automated Security
KENSAI continuously scans your infrastructure for vulnerabilities like these — before attackers find them. AI-powered pentesting, compliance automation, and instant remediation guidance.
Get a Free Security AssessmentStay secure,
The KENSAI Security Research Team
Daily security briefings powered by AI threat intelligence. Updated every weekday at 06:00 CET.