{ "document": { "aggregate_severity": { "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu20.04els/vex/2026/cve-2026-28387-els_os-ubuntu20_04els.json" } ], "tracking": { "current_release_date": "2026-04-24T21:55:02Z", "generator": { "date": "2026-04-24T21:55:02Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2026-28387-ELS_OS-UBUNTU20.04ELS", "initial_release_date": "2026-04-07T00:00:00Z", "revision_history": [ { "date": "2026-04-07T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-20T12:33:48Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-24T21:55:02Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2026-28387" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 20.04", "product": { "name": "Ubuntu 20.04", "product_id": "Ubuntu-20", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" }, { "branches": [ { "category": "product_version", "name": "libssl-dev-0:1.1.1f-1ubuntu2.24.amd64", "product": { "name": "libssl-dev-0:1.1.1f-1ubuntu2.24.amd64", "product_id": "libssl-dev-0:1.1.1f-1ubuntu2.24.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/libssl-dev@1.1.1f-1ubuntu2.24?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libssl-dev-0:1.1.1f-1ubuntu2.24+tuxcare.els2.amd64", "product": { "name": "libssl-dev-0:1.1.1f-1ubuntu2.24+tuxcare.els2.amd64", "product_id": "libssl-dev-0:1.1.1f-1ubuntu2.24+tuxcare.els2.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/libssl-dev@1.1.1f-1ubuntu2.24%2Btuxcare.els2?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libssl-dev-0:1.1.1f-1ubuntu2.24+tuxcare.els2.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:libssl-dev-0:1.1.1f-1ubuntu2.24+tuxcare.els2.amd64" }, "product_reference": "libssl-dev-0:1.1.1f-1ubuntu2.24+tuxcare.els2.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "libssl-dev-0:1.1.1f-1ubuntu2.24.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:libssl-dev-0:1.1.1f-1ubuntu2.24.amd64" }, "product_reference": "libssl-dev-0:1.1.1f-1ubuntu2.24.amd64", "relates_to_product_reference": "Ubuntu-20" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-28387", "cwe": { "id": "CWE-1341", "name": "Multiple Releases of Same Resource or Handle" }, "notes": [ { "category": "description", "text": "A flaw was found in OpenSSL. An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. This vulnerability could lead to data corruption, application crashes, or, in severe cases, arbitrary code execution. This issue is highly specific and uncommon, as it only affects clients using both PKIX-TA(0)/PKIX-EE(1) and DANE-TA(2) certificate usages and communicating with a server publishing a TLSA record set with both types of records.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Ubuntu-20:libssl-dev-0:1.1.1f-1ubuntu2.24+tuxcare.els2.amd64", "Ubuntu-20:libssl-dev-0:1.1.1f-1ubuntu2.24.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-28387" } ], "release_date": "2026-04-07T00:00:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This is a client-side issue that only manifests with a highly specific, non-default DANE TLSA validation setup and requires the server to publish a mixed set of PKIX-TA/EE and DANE-TA TLSA records; standard PKI-only TLS is unaffected. The CVSS details indicate high attack complexity with no confidentiality or integrity impact and only low availability impact. Systems that do not enable DANE TLSA validation or that do not connect to servers with such mixed TLSA records have no exposure, making this a low-priority item.", "product_ids": [ "Ubuntu-20:libssl-dev-0:1.1.1f-1ubuntu2.24+tuxcare.els2.amd64", "Ubuntu-20:libssl-dev-0:1.1.1f-1ubuntu2.24.amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Ubuntu-20:libssl-dev-0:1.1.1f-1ubuntu2.24+tuxcare.els2.amd64", "Ubuntu-20:libssl-dev-0:1.1.1f-1ubuntu2.24.amd64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] } ] }