VYPR
← All advisories
High severityNVD Advisory· Published Dec 13, 2022· Updated Aug 3, 2024

X.509 Policy Constraints Double Locking

CVE-2022-3996

Description

If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup.

Policy processing is enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenSSL 3.0.0-3.0.7 has a double-lock bug in X.509 policy processing that can cause a denial of service on Windows systems.

Vulnerability

Description

CVE-2022-3996 is a denial-of-service vulnerability in OpenSSL versions 3.0.0 through 3.0.7. The bug occurs in the X.509 certificate policy constraint handling: when a malformed policy constraint is encountered and policy processing is enabled, the write lock is taken twice recursively [1][3]. This double-locking behavior causes the affected process to hang on certain operating systems, most notably Windows [1][3].

Exploitation

Conditions

Exploitation requires that policy processing is explicitly enabled by the server or application. This is done by passing the -policy argument to command-line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function in code [1][3]. The OpenSSL advisory notes that enabling policy processing on a publicly facing server is not considered a common setup, which reduces the attack surface [3]. The attacker would need to present a crafted X.509 certificate containing a malformed policy constraint to trigger the vulnerability [1].

Impact

When successfully triggered, the double lock causes the process to hang, resulting in a denial of service. The advisory states that this issue predominantly affects Windows systems, though the vulnerability exists in the code regardless of platform [1][3]. No evidence of exploitation in the wild was known at the time of the advisory [3].

Mitigation

The vulnerability was fixed in OpenSSL 3.0.8, which was released after the advisory [3]. The fix, introduced in commit 7725e7bfe, removes the redundant flag setting that caused the double lock [4]. OpenSSL 1.1.1 and 1.0.2 are not affected [3]. Users of OpenSSL 3.0.0-3.0.7 should upgrade to 3.0.8 or apply the patch from the referenced commit [3][4].

References
  1. NVD - CVE-2022-3996
  2. https://www.openssl.org/news/secadv/20221213.txt
  3. x509: fix double locking problem · openssl/openssl@7725e7b

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
openssl-srccrates.io
>= 300.0.0, < 300.0.12300.0.12

Affected products

39

Patches

1
7725e7bfe6f2

x509: fix double locking problem

https://github.com/openssl/opensslPauliNov 10, 2022via ghsa
commit
1 file changed · +0 4
  • crypto/x509/pcy_map.c+0 4 modified
    @@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
 
     ret = 1;
  bad_mapping:
-    if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
-        x->ex_flags |= EXFLAG_INVALID_POLICY;
-        CRYPTO_THREAD_unlock(x->lock);
-    }
     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
     return ret;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.