Commit 58633b658f for openssl.org

commit 58633b658fe74095c8cdde191e4ce1bf94f8c5f9
Author: Daniel Kubec <kubec@openssl.foundation>
Date:   Mon May 18 15:01:25 2026 +0200

    Fix Double-free When Checking OCSP Stapled Response

    If OCSP stapling is enabled and the TLS client connects to a malicious server,
    a crafted OCSP stapled response can trigger a double free in the TLS client
    when the stapled response is checked.

    The OCSP stapling is not enabled by default. Reliable code execution
    through a double-free is technically complex and highly environment-dependent
    but the Denial of Service impact is straightforward to achieve, warranting
    Moderate severity.

    Fixes CVE-2026-35188

    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Mon Jun  8 14:44:58 2026

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 27ea9921cd..c283a6a793 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1303,6 +1303,7 @@ static int check_cert_ocsp_resp(X509_STORE_CTX *ctx)

     if (OCSP_response_status(resp) != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
         OCSP_BASICRESP_free(bs);
+        bs = NULL;
         ret = X509_V_ERR_OCSP_RESP_INVALID;
         goto end;
     }