Daniel Kubec

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the `status request` extension. This triggers a double-free in the client's certificate verification path when the stapled response is checked. A double-free occurs when a program attempts to free the same memory location twice, which can corrupt heap memory. This may lead to a Denial of Service, attacker-controlled code execution, or other undefined behavior. OCSP stapling is not enabled by default. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling OCSP stapling to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A NULL pointer dereference occurs when partial-chain certificate verification is enabled alongside OCSP response checking for the entire chain, provided the verified chain lacks a self-signed trusted anchor. This happens because the code attempts to access the next certificate as the issuer, but the issuer remains NULL for the final certificate in the chain under these specific conditions. This can lead to a process crash and a subsequent Denial of Service. The issue specifically affects applications that enable both the `X509 V FLAG OCSP RESP CHECK ALL` and `X509 V FLAG PARTIAL CHAIN` flags, both of which are disabled by default. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Avoid enabling both `X509 V FLAG OCSP RESP CHECK ALL` and `X509 V FLAG PARTIAL CHAIN` flags simultaneously during certificate verification.