CVE-2023-0216
Aliases:GHSA-29xx-hcv2-c4cpRUSTSEC-2023-0011
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 08 Feb 2023, 19:03
Last modified:04 Nov 2025, 19:14
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.85% LOW
1% probability +0.02%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
08 Feb 2023, 19:03
Published
Vulnerability first disclosed
04 Nov 2025, 19:14
Last Modified
Vulnerability information updated
Description
An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.85%• Percentile: 75%
Techniques & Countermeasures
- CWE-476•NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Systems
- Crates.Io•openssl-src
≥ 300.0.0, < 300.0.12
- Unknown•OpenSSL
≥ 3.0.0, < 3.0.8 | ≥ 3.0.0, ≤ 3.0.7
- stormshield•stormshield_management_center
< 3.3.3
References (7)
- https://www.openssl.org/news/secadv/20230207.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=934a04f0e775309cadbef0aa6b9692e1b12a76c6
- https://security.gentoo.org/glsa/202402-08
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
- https://nvd.nist.gov/vuln/detail/CVE-2023-0216
- https://rustsec.org/advisories/RUSTSEC-2023-0011.html
- https://crates.io/crates/openssl-src