CVE-2016-7053

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.1.0 through 1.1.0c

Description The issue is related to a NULL pointer dereference in the parsing of CMS structures in the OpenSSL library. This can be exploited by a remote attacker to cause a denial of service. The problem arises from the handling of the ASN.1 CHOICE type, which can result in a NULL value being passed to the structure callback when attempting to free certain invalid encodings.

Recommendations For OpenSSL versions 1.1.0 through 1.1.0c, update to version 1.1.0c or later to resolve the issue. As a temporary workaround, consider restricting the use of the CMS parsing functionality until a patch is available. Avoid using the CHOICE structures that do not handle NULL values in the affected API endpoints until the issue is resolved.