Improper Resource Shutdown or Release

Summary

The OPENSSL_LH_flush() function in OpenSSL 3.0.0-alpha1 through 3.0.2, which empties a hash table, contains a bug that breaks the reuse of the memory occupied by the removed hash table entries. This function is used when decoding certificates or keys. If a long-lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long-lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0.0-alpha1 version thus older releases are not affected by the issue. The vulnerability is fixed in OpenSSL 3.0.3 version.