CVE-2024-4741

Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause<br /> memory to be accessed that was previously freed in some situations<br /> <br /> Impact summary: A use after free can have a range of potential consequences such<br /> as the corruption of valid data, crashes or execution of arbitrary code.<br /> However, only applications that directly call the SSL_free_buffers function are<br /> affected by this issue. Applications that do not call this function are not<br /> vulnerable. Our investigations indicate that this function is rarely used by<br /> applications.<br /> <br /> The SSL_free_buffers function is used to free the internal OpenSSL buffer used<br /> when processing an incoming record from the network. The call is only expected<br /> to succeed if the buffer is not currently in use. However, two scenarios have<br /> been identified where the buffer is freed even when still in use.<br /> <br /> The first scenario occurs where a record header has been received from the<br /> network and processed by OpenSSL, but the full record body has not yet arrived.<br /> In this case calling SSL_free_buffers will succeed even though a record has only<br /> been partially processed and the buffer is still in use.<br /> <br /> The second scenario occurs where a full record containing application data has<br /> been received and processed by OpenSSL but the application has only read part of<br /> this data. Again a call to SSL_free_buffers will succeed even though the buffer<br /> is still in use.<br /> <br /> While these scenarios could occur accidentally during normal operation a<br /> malicious attacker could attempt to engineer a stituation where this occurs.<br /> We are not aware of this issue being actively exploited.<br /> <br /> The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.