Skip to main content

Improper Resource Shutdown or Release


Severity High
Score 7.5/10


The OPENSSL_LH_flush() function in OpenSSL 3.0.0-alpha1 through 3.0.2, which empties a hash table, contains a bug that breaks the reuse of the memory occupied by the removed hash table entries. This function is used when decoding certificates or keys. If a long-lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long-lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0.0-alpha1 version thus older releases are not affected by the issue. The vulnerability is fixed in OpenSSL 3.0.3 version.

  • LOW
  • NONE
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-404 - Improper Resource Shutdown or Release

The program does not release or incorrectly releases a resource before it is made available for re-use.

Advisory Timeline

  • Published