OpenSSL
Easy fix4 remedies
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*, +1 more
Easy fix4 remedies
- >= 4.0, < 4.0.1
- >= 3.6, < 3.6.3
- >= 3.5, < 3.5.7
OpenSSL QUIC Server NULL Pointer Dereference Vulnerability
Vulnerability
Patched
A NULL pointer dereference vulnerability has been identified in the OpenSSL QUIC server, specifically in versions 4.0, 3.6, and 3.5, when the address validation is disabled. This vulnerability allows an attacker to crash the server by sending an initial packet with an invalid or expired token. By default, the OpenSSL QUIC server has client address validation enabled, making the default configuration safe. However, if the SSL_LISTENER_FLAG_NO_VALIDATE is used, the vulnerability can be exploited, leading to an abnormal termination of the QUIC server process and a denial-of-service condition.
Impact
Exploitation of this vulnerability causes a NULL pointer dereference, leading to an abnormal termination of the QUIC server process and a denial-of-service condition.
Remediation
Users of OpenSSL 4.0 should upgrade to OpenSSL 4.0.1, users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.3, and users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.7.
Added: Jun 9, 2026, 8:09 PM
Updated: Jun 9, 2026, 8:09 PM
Vulnerability Rating
Custom Algorithm
spread
8.6impact
0.6exploitability
7.3remediation
8.3relevance
9.4threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.