CVE-2023-0286
CVE-2023-0286 is a high-severity vulnerability in Openssl with a CVSS 3.x base score of 7.4. Its EPSS exploit-prediction score of 60% places it in the 99th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-843.
Key facts
- Severity: High (CVSS 3.x base score 7.4)
- EPSS exploit prediction: 60% (99th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-843
- Affected product: Openssl
- Published:
- Last modified:
Description
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
Frequently asked questions
- What is CVE-2023-0286?
- There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
- How severe is CVE-2023-0286?
- CVE-2023-0286 has a CVSS 3.x base score of 7.4, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability high.
- Is CVE-2023-0286 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 60% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-0286?
- CVE-2023-0286 primarily affects Openssl. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-0286?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-0286 published?
- CVE-2023-0286 was published on 2023-02-08 and last updated on 2026-06-17.
References
- https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d
- https://security.gentoo.org/glsa/202402-08
- https://www.openssl.org/news/secadv/20230207.txt
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
Affected products (3)
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:a:stormshield:stormshield_management_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:stormshield:stormshield_network_security:*:*:*:*:*:*:*:*
More vulnerabilities in Openssl
- CVE-2009-3245 — Critical (CVSS 10.0): OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c,…
- CVE-2006-3738 — Critical (CVSS 10.0): Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier…
- CVE-2026-31789 — Critical (CVSS 9.8): Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer…
- CVE-2022-2274 — Critical (CVSS 9.8): The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA…
- CVE-2021-3711 — Critical (CVSS 9.8): In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt().…
- CVE-2016-6309 — Critical (CVSS 9.8): statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote…
Other CWE-843 vulnerabilities
- CVE-2021-33970 — Critical (CVSS 10.0): Buffer Overflow vulnerability in Qihoo 360 Chrome v13.0.2170.0 allows attacker to escalate priveleges.
- CVE-2010-2299 — Critical (CVSS 10.0): The Clipboard::DispatchObject function in app/clipboard/clipboard.cc in Google Chrome before 5.0.375.70 does not…
- CVE-2023-22579 — Critical (CVSS 9.9): Due to improper parameter filtering in the sequalize js library, can a attacker peform injection.
- CVE-2026-13776 — Critical (CVSS 9.8): Type Confusion in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
- CVE-2026-43038 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in…
- CVE-2025-70023 — Critical (CVSS 9.8): An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.
Browse all CWE-843 vulnerabilities →
Threat intelligence
Threat-intel indicators referencing this CVE:
- 50.255.62.89 (ipv4-addr)
- 45.84.120.3 (ipv4-addr)
- 45.232.73.84 (ipv4-addr)
- 223.197.186.7 (ipv4-addr)
- 218.51.148.194 (ipv4-addr)
- 203.192.232.180 (ipv4-addr)
- 20.157.117.15 (ipv4-addr)
- 197.44.15.210 (ipv4-addr)