#VU68895 Buffer overflow in OpenSSL

Published: 2022-11-01 | Updated: 2022-12-18

Vulnerability identifier: #VU68895

Vulnerability risk: High


CVE-ID: CVE-2022-3602


Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Server applications / Encryption software

Vendor: OpenSSL Software Foundation


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing the email address field inside  X.509 certificate. A remote attacker can supply a specially crafted certificate to the application, trigger a 4-byte buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that either a CA signs the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 3.0.0 - 3.0.6


External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability