Tomas Dulka

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 3.3 through 3.6 **Description** A TLS 1.3 connection utilizing certificate compression can be manipulated to allocate a substantial buffer prior to decompression, bypassing the configured certificate size limit. This can lead to per-connection memory allocations of approximately 22 MiB and increased CPU usage, potentially causing service degradation or denial of service. The issue arises from the uncompressed certificate length supplied by the peer in a CompressedCertificate message being used to expand a heap buffer without being constrained by the `max cert list` setting. This affects clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate. Servers that do not request client certificates are not susceptible to client-initiated attacks. **Recommendations** OpenSSL version 3.3: Set SSL OP NO RX CERTIFICATE COMPRESSION to disable receiving compressed certificates. OpenSSL version 3.4: Set SSL OP NO RX CERTIFICATE COMPRESSION to disable receiving compressed certificates. OpenSSL version 3.5: Set SSL OP NO RX CERTIFICATE COMPRESSION to disable receiving compressed certificates. OpenSSL version 3.6: Set SSL OP NO RX CERTIFICATE COMPRESSION to disable receiving compressed certificates.