CVE-2024-4741

Name of the Vulnerable Software and Affected Versions: OpenSSL versions prior to 3.3 (FIPS modules in 3.3, 3.2, 3.1, and 3.0 are not affected)

Description: The issue is related to the SSL free buffers function in OpenSSL, which can cause memory to be accessed after it has been freed in certain situations. This can lead to corruption of valid data, crashes, or execution of arbitrary code. The function is used to free the internal OpenSSL buffer when processing an incoming record from the network. However, two scenarios have been identified where the buffer is freed even when still in use. A malicious attacker could attempt to engineer a situation where this occurs, although it is not aware of this issue being actively exploited.

Recommendations: As a temporary workaround, consider disabling the SSL free buffers function until a patch is available. Restrict access to the vulnerable SSL free buffers function to minimize the risk of exploitation. Avoid using the SSL free buffers function in applications that directly call it, as these are the only applications affected by this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.