OpenSSL
Moderate fix1 remedy
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*, +1 more
Moderate fix1 remedy
- >= 0.10.39, < 0.10.72
OpenSSL Use-After-Free Vulnerability in Properties Handling
Vulnerability
Patched
A use-after-free vulnerability has been identified in OpenSSL's Rust bindings, specifically in the 'Md::fetch' and 'Cipher::fetch' functions. This issue arises when a 'Some(...)' value is passed to the properties argument, leading to undefined behavior. The vulnerability causes OpenSSL to misinterpret the properties as an empty string, due to the way string values are managed. The flaw is present in OpenSSL versions 0.10.39 through 0.10.71.
Impact
Exploitation of this vulnerability can lead to memory corruption, with OpenSSL incorrectly parsing property inputs, potentially causing applications to behave unexpectedly.
Reproduction
To reproduce this vulnerability, use OpenSSL's Rust bindings and call either the 'Md::fetch' or 'Cipher::fetch' functions. Pass a 'Some(...)' value to the properties argument. This will trigger the use-after-free condition, causing OpenSSL to treat the properties as an empty string.
Remediation
Users can upgrade to OpenSSL versions 0.10.72 or later, where this vulnerability has been fixed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
8.6impact
2.5exploitability
9.5remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.