OpenSSL TLS 1.3 CompressedCertificate Excessive Memory Allocation Vulnerability

A vulnerability exists in OpenSSL versions 3.6, 3.5, 3.4, and 3.3, where a TLS 1.3 connection using certificate compression can be manipulated to allocate a large buffer before decompression. This allocation occurs without verifying against the configured certificate size limit, leading to excessive memory use and additional CPU workload. The issue can cause service degradation or resource exhaustion, resulting in a denial-of-service condition.

Impact

Exploitation of this vulnerability causes per-connection memory allocations of up to approximately 22 MiB, along with extra CPU work, potentially leading to service degradation or resource exhaustion.

Reproduction

To reproduce this vulnerability, establish a TLS 1.3 connection with an OpenSSL build that has certificate compression enabled and at least one compression algorithm available. Negotiate the compression extension and send a CompressedCertificate message with an uncompressed certificate length that exceeds the max_cert_list setting. This will trigger the excessive memory allocation before the handshake process fails.

Remediation

Users can upgrade to OpenSSL 3.6.1, 3.5.5, 3.4.4, or 3.3.6. Instructions for downloading these versions are available on the OpenSSL website.