HOMEVULNERABILITIESCVE-2026-28387
NONE

CVE-2026-28387

CWE-416Published: April 7, 2026· Updated: Apr 8, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:5.5th

Official Description

Issue summary: An uncommon configuration of clients performing DANE TLSA-based

server authentication, when paired with uncommon server DANE TLSA records, may

result in a use-after-free and/or double-free on the client side.

Impact summary: A use after free can have a range of potential consequences

such as the corruption of valid data, crashes or execution of arbitrary code.

However, the issue only affects clients that make use of TLSA records with both

the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate

usage.

By far the most common deployment of DANE is in SMTP MTAs for which RFC7672

recommends that clients treat as 'unusable' any TLSA records that have the PKIX

certificate usages. These SMTP (or other similar) clients are not vulnerable

to this issue. Conversely, any clients that support only the PKIX usages, and

ignore the DANE-TA(2) usage are also not vulnerable.

The client would also need to be communicating with a server that publishes a

TLSA RRset with both types of TLSA records.

No FIPS modules are affected by this issue, the problem code is outside the

FIPS module boundary.

NVD Source

Technical Analysis

CVE-2026-28387 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

From a weakness classification perspective (CWE-416): Use-after-free vulnerabilities involve accessing memory after it has been freed, often enabling arbitrary code execution.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2026-28387

Siemens SIMATIC
CISA Alerts· May 14, 2026

View CSAF Summary SIMATIC CN 4100 contains multiple vulnerabilities which could potentially lead to a compromise in availability, integrity and confidentiality. Siemens has released a new version for SIMATIC CN 4100 and recommends to update to the latest version. The following versions of Siemens SIMATIC are affected: SIMATIC CN 4100 vers:intdot/ hpo_dp_link_enc before using it [WHAT & HOW] Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res without initializing hpo_dp_link_enc and it is necessary to check for null before dereferencing. This fixes 2 FORWARD_NULL issues reported by Coverity. View CVE Details Affected Products Siemens SIMATIC Vendor: Siemens Product Version: SIMATIC CN 4100 Product Status: known_affected Remediations [xlite_meta score:79 src:CISA Alerts xlite_fp:24398be83460e8bd8b0800e5360a3f73a2eb239b4cfc4a9afb9694e799548978]

All References (6)

Quick Facts

CVE IDCVE-2026-28387
SeverityNONE
WeaknessCWE-416
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 7, 2026

Known Threat Actors

wa
financial
B0
financial
core
financial

Related CVEs (CWE-416)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-28387 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.