CVE-2022-4450 – A double-free vulnerability in OpenSSL's PEM pa... (How to Fix)

Q: What is the severity of CVE-2022-4450?

CVE-2022-4450 has a CVSS score of 7.5 (HIGH). A double-free vulnerability in OpenSSL's PEM parsing functions allows attackers to cause denial of service through specially crafted PEM files. The vulnerability affects applications that parse PEM files using affected OpenSSL functions, potentially leading to crashes. Systems using OpenSSL for certificate or key parsing are at risk.

📋 TL;DR

A double-free vulnerability in OpenSSL's PEM parsing functions allows attackers to cause denial of service through specially crafted PEM files. The vulnerability affects applications that parse PEM files using affected OpenSSL functions, potentially leading to crashes. Systems using OpenSSL for certificate or key parsing are at risk.

💻 Affected Systems

Products:

OpenSSL
Applications using OpenSSL PEM parsing functions

Versions: OpenSSL 3.0.0 to 3.0.7, 1.1.1 to 1.1.1s

Operating Systems: All operating systems running affected OpenSSL versions

Default Config Vulnerable: ⚠️ Yes

Notes: Applications using PEM_read_bio_ex(), PEM_read_bio(), PEM_read(), PEM_X509_INFO_read_bio_ex(), SSL_CTX_use_serverinfo_file(), or OpenSSL asn1parse command line tool are vulnerable.

📦 What is this software?

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Stormshield Network Security by Stormshield

View all CVEs affecting Stormshield Network Security →

Stormshield Network Security by Stormshield

View all CVEs affecting Stormshield Network Security →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service, potentially disrupting critical services that rely on OpenSSL for certificate processing.

🟠

Likely Case

Service disruption through application crashes when processing malicious PEM files, requiring restart of affected services.

🟢

If Mitigated

Limited impact with proper input validation and updated OpenSSL versions, preventing successful exploitation.

🌐 Internet-Facing: MEDIUM - Requires attacker to supply malicious PEM files to vulnerable parsing endpoints, which may be exposed in some configurations.

🏢 Internal Only: LOW - Typically requires attacker to have ability to supply PEM files to internal systems, reducing exposure surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to supply malicious PEM files to vulnerable parsing functions. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenSSL 3.0.8, 1.1.1t

Vendor Advisory: https://www.openssl.org/news/secadv/20230207.txt

Restart Required: Yes

Instructions:

1. Identify OpenSSL version with 'openssl version'. 2. Update to OpenSSL 3.0.8 or 1.1.1t using system package manager. 3. Restart all services using OpenSSL. 4. Recompile applications statically linked to OpenSSL.

🔧 Temporary Workarounds

Input validation for PEM files

all

Implement strict validation of PEM file content before passing to OpenSSL functions

Avoid vulnerable functions

all

Use alternative OpenSSL functions not affected by this vulnerability where possible

🧯 If You Can't Patch

Implement strict input validation for all PEM file processing
Monitor for crashes in services using OpenSSL PEM parsing and implement rapid restart procedures

🔍 How to Verify

Check if Vulnerable:

Run 'openssl version' and check if version is between 3.0.0-3.0.7 or 1.1.1-1.1.1s

Check Version:

openssl version

Verify Fix Applied:

Run 'openssl version' and verify version is 3.0.8 or 1.1.1t or higher

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing PEM files
OpenSSL error logs showing parsing failures

Network Indicators:

Unusual PEM file uploads to services
Repeated connection attempts to PEM parsing endpoints

SIEM Query:

source="application.log" AND ("openssl" OR "PEM") AND ("crash" OR "segfault" OR "double free")

📊 Metadata

CVE ID: CVE-2022-4450

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-415

Published: February 8, 2023

Last Updated: November 4, 2025

🔗 References

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83 Patch,Vendor Advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b Patch,Vendor Advisory
https://security.gentoo.org/glsa/202402-08
https://www.openssl.org/news/secadv/20230207.txt Vendor Advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83 Patch,Vendor Advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b Patch,Vendor Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
https://security.gentoo.org/glsa/202402-08
https://www.openssl.org/news/secadv/20230207.txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-4450, you might also want to check these: