CVE-2022-4450

Aliases:GHSA-v5w6-wcm8-jm4qRUSTSEC-2023-0010

Advisory lineage Upstream: 0 Downstream: 23

Downstream

ALPINE-CVE-2022-4450 DEBIAN-CVE-2022-4450 DLA-3325-1 DSA-5343-1 MGASA-2023-0130 OPENSUSE-SU-2024:12688-1

Modified

Published: 08 Feb 2023, 19:04

Last modified:04 Nov 2025, 19:14

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.15% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

08 Feb 2023, 19:04

Published

Vulnerability first disclosed

04 Nov 2025, 19:14

Last Modified

Vulnerability information updated

Description

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.15%• Percentile: 35%

Techniques & Countermeasures

CWE-415•Double Free
The product calls free() twice on the same memory address.

Affected Systems

Crates.Io•openssl-src
< 111.25.0 | ≥ 300.0.0, < 300.0.12
Unknown•OpenSSL
≥ 1.1.1, < 1.1.1t | ≥ 3.0.0, < 3.0.8
stormshield•stormshield network security
≥ 4.0.0, < 4.3.16 | ≥ 4.4.0, < 4.6.3