PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-0727 Openssl CVE debrief

CVE-2024-0727 is a denial-of-service issue in OpenSSL's PKCS12 handling. A maliciously formatted PKCS12 file can trigger a NULL pointer dereference and crash the process that parses it. The issue matters most for applications that accept PKCS12 files from untrusted sources and call the affected OpenSSL APIs.

Vendor
Openssl
Product
CVE-2024-0727
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-01-26
Original CVE updated
2026-05-12
Advisory published
2024-01-26
Advisory updated
2026-05-12

Who should care

Teams that use OpenSSL to parse PKCS12 files from untrusted or user-controlled sources should treat this as relevant, especially application owners, package maintainers, and operators of services that import certificates or keys.

Technical summary

The vendor advisory says the PKCS12 specification allows some fields to be NULL, but OpenSSL did not correctly handle that case. As a result, parsing certain crafted PKCS12 content can lead to a NULL pointer dereference and process crash. The affected APIs listed in the advisory are PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes(), and PKCS12_newpass(). The advisory also notes a similar issue in SMIME_write_PKCS7(), but classifies it as not security significant because it is related to writing data. The FIPS modules in 3.2, 3.1, and 3.0 are stated as not affected.

Defensive priority

Medium. The issue is publicly disclosed, has a CVSS 3.1 score of 5.5 with availability impact, and can be triggered by untrusted PKCS12 input. Prioritize if your software ingests PKCS12 files from outside your trust boundary.

Recommended defensive actions

  • Update OpenSSL to a version that includes the vendor fixes for your release line.
  • Inventory any code paths that call the affected PKCS12 APIs and confirm whether they process untrusted input.
  • Restrict or validate PKCS12 imports at application boundaries where feasible.
  • Monitor for unexpected process exits or crashes in certificate import or key-loading workflows.
  • If you use OpenSSL FIPS modules in 3.2, 3.1, or 3.0, note that the advisory says those modules are not affected, but still verify your linked OpenSSL library version.

Evidence notes

The source advisory states that maliciously formatted PKCS12 input can cause a NULL pointer dereference in OpenSSL, leading to a crash and denial of service. It explicitly lists the affected APIs and states that the FIPS modules in 3.2, 3.1, and 3.0 are not affected. NVD records the vulnerability as CVSS 3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H and maps affected OpenSSL version ranges across the 1.0.2, 1.1.1, 3.0, 3.1, and 3.2 lines.

Official resources

CVE-2024-0727 was published on 2024-01-26T09:15:07.637Z. The OpenSSL vendor advisory linked in the corpus is dated 2024-01-25.