Aliaksei Levin

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 3.0.0 through 3.0.2 **Description** The `OPENSSL LH flush()` function contains a bug that breaks reuse of the memory occupied by the removed hash table entries. This function is used when decoding certificates or keys. If a long-lived process periodically decodes certificates or keys, its memory usage will expand without bounds and the process might be terminated by the operating system, causing a denial of service. Also, traversing the empty hash table entries will take increasingly more time. Typically, such long-lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. **Recommendations** For OpenSSL versions 3.0.0 through 3.0.2, update to OpenSSL 3.0.3 to resolve the issue. As a temporary workaround, consider restricting the use of the `OPENSSL LH flush()` function until a patch is available. Avoid using this function in long-lived processes that periodically decode certificates or keys to minimize the risk of exploitation.