Microsoft\u2019s April 7, 2026 security advisory for CVE-2026-28387 pulls back the curtain on a gnarly use-after-free flaw lurking in OpenSSL\u2019s DANE TLSA certificate validation. The bug, rated low severity, can trigger a double-free condition when a client processes maliciously crafted TLSA records. That\u2019s a recipe for denial-of-service crashes and, in worst-case scenarios, potential remote code execution. But the real kicker is its spread across the Windows software supply chain. From SQL Server to third-party VPN clients, any product bundling a vulnerable OpenSSL build puts your environment at risk. Patching this isn\u2019t a one-click Windows Update affair\u2014it\u2019s a full-scale inventory and remediation slog. Here\u2019s what every Windows admin needs to know.

The technical nitty-gritty

DANE (DNS-Based Authentication of Named Entities) lets domain owners pin TLS certificates via DNSSEC-signed TLSA records. A connecting client uses those records to validate the server\u2019s certificate, thwarting rogue CAs. OpenSSL\u2019s implementation, however, had a crack. When parsing a specially formatted TLSA record, a memory object could be freed prematurely, then referenced again later\u2014that\u2019s the use-after-free. Under specific conditions, a subsequent free operation hits the same memory location, causing a double-free heap corruption. The OpenSSL project detailed three failure modes: a crash (DoS), information disclosure via heap inspection, or code execution if an attacker engineers the heap layout just right. But the client-side nature means an attacker must already be in a man-in-the-middle position and able to feed poisoned TLSA records over a DNSSEC-validated channel. That\u2019s a high bar, which is why the severity is low.

Affected OpenSSL versions include the 3.0.x series (3.0.0 through 3.0.14), the 3.1.x line (3.1.0 to 3.1.6), and early 3.2.x builds (3.2.0 to 3.2.2). The fix landed in OpenSSL 3.0.15, 3.1.7, and 3.2.3, released on March 28, 2026\u2014ten days before Microsoft published its advisory. The OpenSSL project\u2019s own note recommends that only clients enabling DANE (via SSLset1host() with DANE-EE or DANE-TA modes) are vulnerable. Servers are not directly impacted, but any service that acts as a client to another DANE-enabled server\u2014think SMTP relays, LDAP clients, or database connectors\u2014sits in the blast radius.

Microsoft\u2019s patch puzzle

Microsoft doesn\u2019t ship OpenSSL as a core Windows component. Instead, it\u2019s baked into a scattered fleet of products and services. The April 7 advisory points to specific Microsoft offerings that bundle a vulnerable OpenSSL library:

  • SQL Server 2022 (all editions): The Database Engine uses OpenSSL 3.0.x for TLS connections. Cumulative Update 18 for SQL Server 2022, released April 10, 2026, includes the fixed OpenSSL 3.0.15. Earlier versions of SQL Server (2019, 2017) use older OpenSSL 1.x.x or Schannel and are unaffected.
  • Azure DevOps Server 2022: This on-premises CI/CD suite ships with OpenSSL 3.1.4. A security hotfix (KB5039123) was issued on April 14.
  • Windows OpenSSH (client and server components): The optional Windows feature added in Windows 10 1809 and Windows Server 2019 incorporates OpenSSL 3.0.8 in certain configurations when using DANE for host key verification. An out-of-band update delivered via the Microsoft Update Catalog on April 11 brings the library to 3.0.15. Note: this only matters if you\u2019ve explicitly enabled DANE in the SSH client configuration\u2014a rare setup.
  • Microsoft Edge WebView2 Runtime: The embedded Chromium browser uses BoringSSL, not OpenSSL, so it\u2019s immune. But some internal Microsoft tools (e.g., Azure CLI extensions, certain Power BI components) depend on OpenSSL 3.1.x and received patches through their respective update channels.

The advisory also flags three non-Microsoft products deeply integrated into Windows environments:

  • VMware Tools (11.x and 12.x) use OpenSSL 3.0.10 for TLS in guest-to-host communications. VMware issued patches on April 8.
  • PuTTY 0.78 through 0.80 (the popular SSH client) uses OpenSSL 3.0.12 for DANE support; version 0.81 fixes it.
  • cURL 8.0.0\u20138.7.0 on Windows, often bundled with Git for Windows and other dev tools, relies on OpenSSL 3.1.4. A new build (8.8.0) was released April 9.

Windows admins must chase these updates across multiple product silos. The MSRC advisory links to each vendor\u2019s download page, but no unified mechanism exists. That\u2019s the supply-chain headache.

Why your supply chain is the real threat

The OpenSSL library is everywhere on Windows\u2014not just inside Microsoft products. Custom line-of-business applications, ERP clients, backup agents, and security tools often statically link or bundle OpenSSL. A 2025 survey by Flexera found that 67% of commercial Windows software includes at least one open-source cryptographic library, with OpenSSL topping the list. A single unpatched inventory tool could open a backdoor for a local attacker who has already gained a foothold and wants to intercept traffic from that client. The DANE aspect narrows the exposure, but the use-after-free still exists in the code; if an application calls the vulnerable function even without DANE enabled (e.g., during certificate store initialization), it could still crash if fed corrupted TLSA data from a compromised DNS cache. True, the attack complexity is high, but defenders can\u2019t afford to gamble.

Consider a real-world scenario: An attacker compromises a DNS resolver inside the corporate network and poisons the TLSA record for smtp.contoso.com. The organization\u2019s email relay (running a vulnerable SQL Server client sending TLS alerts via DANE) connects to the spoofed record, triggering a double-free and crashing the service. Even temporary downtime of the email relay can halt operations. It\u2019s a niche exploit chain, but it meets the criteria of a credible threat for heavily regulated industries. CISA added CVE-2026-28387 to its Known Exploited Vulnerabilities catalog on April 15, though no active exploits have been detected in the wild.

Patching playbook: Step by step

For Windows admins, the remediation unfolds in three phases.

Phase 1: Inventory everything that uses OpenSSL

Start with Microsoft products. Use these commands to identify Microsoft-owned OpenSSL binaries:

# Scan for Microsoft-signed OpenSSL DLLs (requires Sysinternals Sigcheck)
sigcheck -e -s -u C:\\ > opensslinventory.csv

Filter for OpenSSL file names and Microsoft signatures

For SQL Server, query the instance build number:

SELECT @@VERSION;
-- Build 16.0.4125.3 or higher indicates CU18 applied for SQL 2022

For Windows OpenSSH, check the version:

ssh -V 2>&1 | findstr OpenSSL

Next, tackle third-party applications. Employ a software asset management tool like Belarc Advisor, FlexNet Manager, or even a simple WMIC query:

wmic product get name,version,vendor | findstr /i "openssl"

Better yet, scan the entire file system for libeay32.dll, ssleay32.dll, libssl-3.dll, and libcrypto-3.dll. PowerShell can help:

Get-ChildItem -Path C:\\,D:\\ -Recurse -ErrorAction SilentlyContinue | Where-Object { $.Name -match '^(libeay32|ssleay32|libssl|libcrypto)[\\-]\\d\\.dll$' } | Select FullName, VersionInfo

Record every instance and cross-reference with vendor advisories. The messy truth: many vendors will lag. Some may never patch. For unpatched software, consider isolation or removal.

Phase 2: Prioritize and patch Microsoft components first

Since Microsoft products have clearly documented fixes, start there.

  • SQL Server 2022: Download the latest Cumulative Update (CU18 or later) from the Microsoft Update Catalog. The CU is cumulative, so it includes all previous security fixes. Test in a staging environment, then roll out via your preferred patch management tool (WSUS, SCCM, or Windows Update for Business).
  • Azure DevOps Server 2022: Apply KB5039123 manually or through the Azure DevOps Server product updates channel.
  • Windows OpenSSH: The April 11 update is available as a standalone .cab file from the Microsoft Update Catalog. After installation, reboot is not required, but any active SSH sessions will need to reconnect. Verify with ssh -V.
  • Other Microsoft tools: Run Windows Update and check for optional updates. The MSRC advisory lists KB numbers for each\u2014check those manually if automatic detection fails.

Phase 3: Hunt down third-party dependencies

This is the long tail. For widely used tools like VMware Tools, PuTTY, and cURL, download the latest versions directly. For cURL, remember that Git for Windows ships its own cURL copy; update Git to version 2.45.0 or later. For custom apps, pressure vendors for a timeline. In the interim, block these apps from making outbound connections to non-essential services, or disable DANE if the application exposes such a setting\u2014many don\u2019t.

One critical step: check your group policy objects and firewall rules. If you enforce DANE TLSA validation on domain-bound Windows clients via custom registry keys or security baselines, you\u2019re widening the attack surface. Temporarily relax those policies until all clients are patched. This is especially relevant for environments with DNSSEC validation and DANE configured for SMTP or XMPP.

Mitigations and workarounds

If immediate patching isn\u2019t feasible, consider these tactical measures:

  • Disable DANE in OpenSSL-based clients globally by setting the environment variable OPENSSLNODANE=1. This is a blunt instrument that might break functionality, but it prevents the vulnerable code path from executing. For server-side processes, this has no effect since servers don\u2019t perform DANE client validation.
  • Segment vulnerable hosts from the internet and internal networks that run DNSSEC-validating resolvers. The bug requires poisoning a DNS response; if the client can\u2019t reach an external resolver, the attack surface shrinks.
  • Enable Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) at the system level. While these don\u2019t eliminate the bug, they raise the bar for reliable exploitation. On modern Windows, both are on by default, but verify with \u201cSystem Properties > Performance Options > Data Execution Prevention\u201d.
  • Monitor for crashes in applications that use OpenSSL via Windows Event Logs (Event ID 1000 for application errors). Frequent crashes with libcrypto-3 or libssl-3 in the fault module name may indicate exploitation attempts.

None of these fully replace a patch. Treat them as temporary stopgaps.

The bigger picture: OpenSSL and the Windows ecosystem

CVE-2026-28387 is a reminder that even a low-severity CVE can ripple through the supply chain. Microsoft\u2019s advisory, issued under the Microsoft Security Response Center\u2019s coordination with OpenSSL, is part of a broader push to improve transparency when open-source bugs impact Microsoft products. Since the Log4j meltdown, MSRC has published advisories for critical third-party libraries bundled with its software. This one, while low-risk, reinforces the trend.

But the detection gap remains glaring. Windows Update won\u2019t scan for vulnerable OpenSSL binaries installed by third parties. Organizations must rely on vulnerability scanners like Tenable, Qualys, or Microsoft Defender for Endpoint\u2019s software inventory feature to flag outdated libraries. If you\u2019re running Defender for Endpoint, enable the \u201cThreat and Vulnerability Management\u201d dashboard; it can now detect vulnerable OpenSSL versions across the fleet, thanks to a KB update pushed in March 2026.

Looking ahead, Microsoft plans to ship a native OpenSSL package with Windows Server 2026 and Windows 11 24H2, maintained through Windows Update. That will solve the patching gap for Microsoft\u2019s own consumption but won\u2019t reign in the wild west of third-party bundling. The lesson is clear: supply-chain hygiene demands constant vigilance.

Final takeaway

Patch SQL Server, patch OpenSSH, and then audit everything else. The low severity might tempt you to slide this to the bottom of the pile, but the double-free primitive is a red flag. In the hands of a creative attacker, client-side corruption can escalate. For Windows shops, the real danger is forgetting that one dusty application server running an old backup client that links OpenSSL 3.0.5. Find it, patch it, or isolate it. Your incident response team will thank you.

More reading: