Incorrect Buffer Freedom in OpenSSL May Lead to Use After Free Vulnerability
CVE-2024-4741

7.5HIGH

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
13 November 2024

Badges

๐Ÿ“ฐ News Worthy

What is CVE-2024-4741?

A vulnerability in OpenSSL's SSL_free_buffers function can lead to use after free conditions. This occurs under specific circumstances where freed memory might still be accessed, leading to possible data corruption, application crashes, or arbitrary code execution. The issue is tied to situations where a network record's body has not been completely processed, allowing SSL_free_buffers to be called erroneously. Although this issue has the potential for exploitation, it is currently not known to be actively targeted by malicious actors. Importantly, specific FIPS modules are not impacted, highlighting the need for cautious deployment and patching.

Affected Version(s)

OpenSSL 3.3.0 < 3.3.1

OpenSSL 3.2.0 < 3.2.2

OpenSSL 3.1.0 < 3.1.6

News Articles

favicon imageRewterz

CVE-2024-4741 โ€“ OpenSSL Vulnerability - Rewterz

OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the SSL_free_buffers API function.

References

https://www.openssl.org/news/secadv/20240528.txt
vendor-advisory
https://github.com/openssl/openssl/commit/e5093133c35ca82...
patch
https://github.com/openssl/openssl/commit/c88c3de51020c37...
patch

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • ๐Ÿ“ฐ

    First article discovered by Rewterz

JSON
.