CVE-2022-4450: double-free in OpenSSL OpenSSL
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
AI Analysis
Technical Summary
CVE-2022-4450 is a high-severity vulnerability in OpenSSL versions 1.1.1 and 3.0.0 involving a double-free memory error in the PEM_read_bio_ex() function. This function is responsible for reading and parsing PEM-formatted files from a BIO (Basic I/O abstraction) and extracting the "name" (such as "CERTIFICATE"), header data, and payload data. When the function encounters a PEM file with zero bytes of payload data, it returns a failure code but still populates the header argument with a pointer to a buffer that has already been freed. If the caller subsequently frees this buffer again, a double-free condition arises, which can lead to memory corruption and most likely a crash of the application. This vulnerability can be triggered by an attacker who can supply maliciously crafted PEM files for parsing, resulting in a denial of service (DoS) attack. The vulnerability also affects the wrapper functions PEM_read_bio() and PEM_read(), as well as other OpenSSL functions that indirectly call PEM_read_bio_ex(), such as PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file(). However, some internal OpenSSL calls are not vulnerable because they do not free the header buffer on failure. The OpenSSL asn1parse command line tool is also impacted. The CVSS v3.1 base score is 7.5 (high), reflecting the network attack vector, no privileges or user interaction required, and impact limited to availability (denial of service). No known exploits are currently reported in the wild. This vulnerability is classified under CWE-415 (Double Free).
Potential Impact
For European organizations, the impact of CVE-2022-4450 primarily manifests as a denial of service condition in applications and services that utilize vulnerable OpenSSL versions to parse PEM files. Since OpenSSL is widely used in TLS/SSL implementations, certificate management, and cryptographic operations, any service that processes PEM-encoded certificates or keys could be disrupted by an attacker supplying malicious PEM files. This could lead to service outages, degraded availability of critical infrastructure such as web servers, VPN gateways, mail servers, and other security appliances relying on OpenSSL. While the vulnerability does not directly compromise confidentiality or integrity, the resulting crashes could be leveraged to cause operational disruptions, potentially impacting business continuity and service level agreements. European organizations in sectors such as finance, healthcare, government, and telecommunications, which rely heavily on secure communications and certificate management, may be particularly affected. Additionally, denial of service attacks exploiting this vulnerability could be used as a distraction or part of a multi-stage attack. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially given the widespread deployment of affected OpenSSL versions.
Mitigation Recommendations
To mitigate CVE-2022-4450, European organizations should: 1) Immediately identify and inventory all systems and applications using OpenSSL versions 1.1.1 and 3.0.0, especially those that parse PEM files or use the affected functions. 2) Apply official OpenSSL patches or upgrade to fixed versions as soon as they become available from the OpenSSL project or trusted vendors. 3) Where patching is not immediately possible, implement input validation and filtering to block or sanitize untrusted PEM files before they reach vulnerable parsing functions. 4) Employ runtime protections such as memory corruption mitigations (e.g., ASLR, DEP, heap protections) to reduce the impact of double-free conditions. 5) Monitor logs and application behavior for crashes or anomalies related to PEM file processing to detect potential exploitation attempts. 6) Review and harden certificate management workflows to ensure that only trusted PEM files are accepted. 7) For command-line tools like asn1parse, restrict usage to trusted users and environments to minimize exposure. 8) Coordinate with software vendors and service providers to confirm they have addressed this vulnerability in their products. These steps go beyond generic advice by focusing on the specific attack vector (malicious PEM files) and the affected functions, emphasizing proactive detection and containment.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Belgium, Poland, Finland
CVE-2022-4450: double-free in OpenSSL OpenSSL
Description
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
AI-Powered Analysis
Technical Analysis
CVE-2022-4450 is a high-severity vulnerability in OpenSSL versions 1.1.1 and 3.0.0 involving a double-free memory error in the PEM_read_bio_ex() function. This function is responsible for reading and parsing PEM-formatted files from a BIO (Basic I/O abstraction) and extracting the "name" (such as "CERTIFICATE"), header data, and payload data. When the function encounters a PEM file with zero bytes of payload data, it returns a failure code but still populates the header argument with a pointer to a buffer that has already been freed. If the caller subsequently frees this buffer again, a double-free condition arises, which can lead to memory corruption and most likely a crash of the application. This vulnerability can be triggered by an attacker who can supply maliciously crafted PEM files for parsing, resulting in a denial of service (DoS) attack. The vulnerability also affects the wrapper functions PEM_read_bio() and PEM_read(), as well as other OpenSSL functions that indirectly call PEM_read_bio_ex(), such as PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file(). However, some internal OpenSSL calls are not vulnerable because they do not free the header buffer on failure. The OpenSSL asn1parse command line tool is also impacted. The CVSS v3.1 base score is 7.5 (high), reflecting the network attack vector, no privileges or user interaction required, and impact limited to availability (denial of service). No known exploits are currently reported in the wild. This vulnerability is classified under CWE-415 (Double Free).
Potential Impact
For European organizations, the impact of CVE-2022-4450 primarily manifests as a denial of service condition in applications and services that utilize vulnerable OpenSSL versions to parse PEM files. Since OpenSSL is widely used in TLS/SSL implementations, certificate management, and cryptographic operations, any service that processes PEM-encoded certificates or keys could be disrupted by an attacker supplying malicious PEM files. This could lead to service outages, degraded availability of critical infrastructure such as web servers, VPN gateways, mail servers, and other security appliances relying on OpenSSL. While the vulnerability does not directly compromise confidentiality or integrity, the resulting crashes could be leveraged to cause operational disruptions, potentially impacting business continuity and service level agreements. European organizations in sectors such as finance, healthcare, government, and telecommunications, which rely heavily on secure communications and certificate management, may be particularly affected. Additionally, denial of service attacks exploiting this vulnerability could be used as a distraction or part of a multi-stage attack. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially given the widespread deployment of affected OpenSSL versions.
Mitigation Recommendations
To mitigate CVE-2022-4450, European organizations should: 1) Immediately identify and inventory all systems and applications using OpenSSL versions 1.1.1 and 3.0.0, especially those that parse PEM files or use the affected functions. 2) Apply official OpenSSL patches or upgrade to fixed versions as soon as they become available from the OpenSSL project or trusted vendors. 3) Where patching is not immediately possible, implement input validation and filtering to block or sanitize untrusted PEM files before they reach vulnerable parsing functions. 4) Employ runtime protections such as memory corruption mitigations (e.g., ASLR, DEP, heap protections) to reduce the impact of double-free conditions. 5) Monitor logs and application behavior for crashes or anomalies related to PEM file processing to detect potential exploitation attempts. 6) Review and harden certificate management workflows to ensure that only trusted PEM files are accepted. 7) For command-line tools like asn1parse, restrict usage to trusted users and environments to minimize exposure. 8) Coordinate with software vendors and service providers to confirm they have addressed this vulnerability in their products. These steps go beyond generic advice by focusing on the specific attack vector (malicious PEM files) and the affected functions, emphasizing proactive detection and containment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- openssl
- Date Reserved
- 2022-12-13T13:38:08.598Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981fc4522896dcbdc3a5
Added to database: 5/21/2025, 9:08:47 AM
Last enriched: 7/3/2025, 12:00:40 PM
Last updated: 8/1/2025, 3:49:07 PM
Views: 6
Related Threats
CVE-2025-47324: CWE-1230: Exposure of Sensitive Information Through Metadata in Qualcomm, Inc. Snapdragon
HighCVE-2025-27076: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition in Qualcomm, Inc. Snapdragon
HighCVE-2025-27075: CWE-129 Improper Validation of Array Index in Qualcomm, Inc. Snapdragon
HighCVE-2025-27073: CWE-617 Reachable Assertion in Qualcomm, Inc. Snapdragon
HighCVE-2025-27072: CWE-120 Buffer Copy Without Checking Size of Input ('Classic Buffer Overflow') in Qualcomm, Inc. Snapdragon
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.