CVE-2018-16149

Name of the Vulnerable Software and Affected Versions axTLS version 2.1.3 and earlier

Description The issue concerns the sig verify() function in x509.c, where the PKCS#1 v1.5 signature verification process blindly trusts the declared lengths in the ASN.1 structure. This can be exploited by a remote attacker using small public exponents to generate crafted signatures for X.509 certificates, potentially causing illegal memory access and crashing the verifier.

Recommendations For axTLS version 2.1.3 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.