Invalid handling of X509_verify_cert() internal errors in libssl
Description
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In OpenSSL 3.0.0, libssl mishandles negative return values from X509_verify_cert(), which combined with a separate bug can cause crashes or infinite loops via a crafted certificate chain.
Vulnerability
In OpenSSL 3.0.0, the libssl library calls X509_verify_cert() internally on the client side to verify a certificate supplied by a server. This function may return a negative return value to indicate an internal error (e.g., out of memory). OpenSSL mishandles such a negative return value, causing an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success. A subsequent call to SSL_get_error() returns SSL_ERROR_WANT_RETRY_VERIFY, a value only supposed to be returned if the application has previously called SSL_CTX_set_cert_verify_callback() [1][3]. This issue is compounded by a separate bug in OpenSSL 3.0 that causes X509_verify_cert() to indicate an internal error when processing a certificate chain lacking the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints, even with valid chains [1][3]. Only OpenSSL 3.0.0 is affected; OpenSSL 1.1.1 and 1.0.2 are not [3].
Exploitation
An attacker controlling a server can craft a TLS certificate chain that triggers an internal error in X509_verify_cert() due to the name constraints bug. The attacker does not need special authentication or write access; they only need to induce a TLS connection from a client using OpenSSL 3.0.0. No user interaction beyond initiating the TLS handshake is required. The mismanagement of the negative return value leads to SSL_get_error() returning the unexpected SSL_ERROR_WANT_RETRY_VERIFY value, which most applications are not programmed to handle [1][3]. The exact sequence depends on the application, but the attack is feasible by combining the two issues [3].
Impact
A successful exploit can cause application-dependent incorrect behavior, including crashes, infinite loops, or other denial-of-service conditions. The attacker does not gain code execution or data disclosure; the impact is primarily a denial of service. The vulnerability does not compromise the confidentiality or integrity of the TLS session itself, but can render the client application unresponsive or unstable [1][3].
Mitigation
The fix is included in OpenSSL 3.0.1, released on December 14, 2021 [1][3]. Users of OpenSSL 3.0.0 should upgrade to 3.0.1 immediately. OpenSSL 1.1.1 and 1.0.2 are unaffected. No workaround is available for 3.0.0; upgrading is the only mitigation. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openssl-srccrates.io | >= 300.0.0, < 300.0.4 | 300.0.4 |
Affected products
4- osv-coords3 versions
>= 17.0.0, < 17.3.0+ 2 more
- (no CPE)range: >= 17.0.0, < 17.3.0
- (no CPE)range: >= 17.0.0, < 17.3.0
- (no CPE)range: >= 300.0.0, < 300.0.4
- Range: Fixed in OpenSSL 3.0.1 (Affected 3.0.0)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-mmjf-f5jw-w72qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4044ghsaADVISORY
- git.openssl.org/gitweb/ghsax_refsource_CONFIRMWEB
- git.openssl.org/gitweb/ghsaWEB
- rustsec.org/advisories/RUSTSEC-2021-0129.htmlghsaWEB
- security.netapp.com/advisory/ntap-20211229-0003ghsaWEB
- security.netapp.com/advisory/ntap-20211229-0003/mitrex_refsource_CONFIRM
- www.openssl.org/news/secadv/20211214.txtghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.