Vulnerability Description
In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | 1.1.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/94244Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037261
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na
- https://www.openssl.org/news/secadv/20161110.txtVendor Advisory
- http://www.securityfocus.com/bid/94244Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037261
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na
- https://www.openssl.org/news/secadv/20161110.txtVendor Advisory
FAQ
What is CVE-2016-7053?
CVE-2016-7053 is a vulnerability with a CVSS score of 7.5 (HIGH). In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0...
How severe is CVE-2016-7053?
CVE-2016-7053 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-7053?
Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl.