QwikSec

Security Database

CVE

CWE

Training

CVE-2016-7053

Published: May 4, 2017

Modified: Sep 16, 2024

PUBLISHED

Description

In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.

Vendor	Product	Versions
OpenSSL	OpenSSL	affected `openssl-1.1.0` affected `openssl-1.1.0a` affected `openssl-1.1.0b`

References

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03744en_us

x_refsource_CONFIRM

vdb-entry

x_refsource_BID

https://www.openssl.org/news/secadv/20161110.txt

x_refsource_CONFIRM

vdb-entry

x_refsource_SECTRACK

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.