VYPR
← All advisories
High severityNVD Advisory· Published Feb 8, 2023· Updated Nov 4, 2025

Double free after calling PEM_read_bio_ex

CVE-2022-4450

Description

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A double free vulnerability in OpenSSL's PEM_read_bio_ex() function from processing specially crafted PEM files with zero-length payload data leading to denial of service.

Vulnerability

The function PEM_read_bio_ex() in OpenSSL reads and decodes PEM files. When processing a specially crafted PEM file with zero bytes of payload data, the function returns a failure code but frees the header buffer and then assigns the freed pointer to the header argument. If the caller then frees the header buffer, a double free occurs, typically resulting in a crash [1][2].

Exploitation

An attacker can exploit this by supplying a malicious PEM file to any application that parses untrusted PEM data using vulnerable functions. Directly affected functions include PEM_read_bio(), PEM_read(), and indirectly PEM_X509_INFO_read_bio_ex(), SSL_CTX_use_serverinfo_file(), and the asn1parse command line tool [2]. The attacker does not need authentication; only the ability to deliver a crafted PEM file is required.

Impact

Successful exploitation leads to a denial of service via application crash. While the vulnerability is classified as moderate severity, it can be triggered remotely if the application processes PEM data from untrusted sources.

Mitigation

OpenSSL has released patches: version 1.1.1t, 3.0.8, and for premium customers 1.0.2zg [1][3]. Users should upgrade to these or later versions. The Gentoo GLSA also recommends upgrading to >=dev-libs/openssl-3.0.10 [4].

References
  1. https://www.openssl.org/news/secadv/20230207.txt
  2. NVD - CVE-2022-4450
  3. Double free after calling `PEM_read_bio_ex` › RustSec Advisory Database
  4. Multiple Vulnerabilities (GLSA 202402-08) — Gentoo security

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
openssl-srccrates.io
< 111.25.0111.25.0
openssl-srccrates.io
>= 300.0.0, < 300.0.12300.0.12

Affected products

74

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.