VYPR
← All advisories
High severityNVD Advisory· Published Feb 8, 2023· Updated Nov 4, 2025

X.400 address type confusion in X.509 GeneralName

CVE-2023-0286

Description

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Type confusion in OpenSSL's X.400 address processing can allow attackers to read memory or cause denial of service when CRL checking is enabled.

Vulnerability

OpenSSL contains a type confusion vulnerability in the parsing of X.400 addresses within X.509 GeneralNames [1][2]. The x400Address field was defined as ASN1_TYPE in the public structure, but it is actually parsed as an ASN1_STRING. This mismatch leads to the GENERAL_NAME_cmp function misinterpreting the data [3].

Exploitation

The attack requires CRL checking to be enabled (the X509_V_FLAG_CRL_CHECK flag) [1]. An attacker can supply both a crafted certificate chain and a CRL, neither needing a valid signature, to pass arbitrary pointers to a memcmp call [2]. In scenarios where only one input is controlled, the other must already contain an X.400 address as a CRL distribution point, which is uncommon [3].

Impact

Successful exploitation can lead to memory disclosure or denial of service (DoS) [1]. The vulnerability is rated High severity and affects OpenSSL versions 3.0, 1.1.1, and 1.0.2 [3].

Mitigation

OpenSSL has released fixed versions: 3.0.8, 1.1.1t, and 1.0.2zg (for premium support customers) [3]. Users should upgrade immediately. The issue was reported by David Benjamin (Google) on January 11, 2023 [3].

References
  1. cve-details
  2. NVD - CVE-2023-0286
  3. https://www.openssl.org/news/secadv/20230207.txt

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cryptographyPyPI
>= 0.8.1, < 39.0.139.0.1
openssl-srccrates.io
< 111.25.0111.25.0
openssl-srccrates.io
>= 300.0.0, < 300.0.12300.0.12

Affected products

97

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.