Denial of service in OpenSSL

Published: 2020-04-21
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-1967
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Server applications / Encryption software

Vendor OpenSSL Software Foundation

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) NULL pointer dereference

EUVDB-ID: #VU27061

Risk: Medium


CVE-ID: CVE-2020-1967

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: Yes


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the SSL_check_chain() function during or after a TLS 1.3 handshake. A remote attacker can send an invalid or unrecognised signature algorithm and perform a denial of service (DoS) attack.


Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 1.1.1d - 1.1.1f

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?