Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 7 February 2023

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.


1.0.2 is not affected



Cvss 3 Severity Score


Score breakdown


Package Release Status
Launchpad, Ubuntu, Debian
lunar Ignored
(end of life, was needs-triage)
bionic Needs triage

focal Needs triage

jammy Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

kinetic Ignored
(end of life, was needs-triage)
xenial Needs triage

mantic Not vulnerable
Launchpad, Ubuntu, Debian
lunar Not vulnerable
(uses system openssl)
bionic Not vulnerable
(uses system openssl1.0)
focal Not vulnerable
(uses system openssl)
kinetic Not vulnerable
(uses system openssl)
trusty Not vulnerable
(uses system openssl)
upstream Needs triage

mantic Not vulnerable
(uses system openssl)
xenial Not vulnerable
(code not present)
Released (12.22.9~dfsg-1ubuntu3.3)
Launchpad, Ubuntu, Debian
Released (3.0.8-1ubuntu1)
trusty Not vulnerable

Released (3.0.8,1.1.1t)
xenial Not vulnerable

Released (1.1.1-1ubuntu2.1~18.04.21)
Released (1.1.1f-1ubuntu2.17)
Released (3.0.2-0ubuntu1.8)
Released (3.0.5-2ubuntu2.1)
Released (3.0.8-1ubuntu1)
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal Does not exist

jammy Does not exist

kinetic Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H