OpenSSL v3.0.4 claimed to have a memory corruption vulnerability on CPUs with the AVX512 extension. Security researcher Guido Vranken published a post that stated the latest version is susceptible to remote memory corruption which can be triggered trivially by an attacker. Only x64 systems with AVX512 support are affected. The bug is fixed in the repository but a new release is still pending.
Not patched yet
OpenSSL version 3.0.4 is susceptible to remote memory corruption which can be triggered trivially by an attacker.
OpenSSL is a cryptography library that allows the implementation of the Transport Layer Security Protocol. AVX, stands for Advanced Vector Extensions, extensions to the x86 instruction set architecture for microprocessors from Intel and AMD.
Tomáš Mráz from the OpenSSL Foundation stated that this is not a security vulnerability. He claims that it is just a serious bug making the 3.0.4 release unusable on AVX-512 capable machines. However, software resilience engineer Alex Gaynor said that “I’m not sure I understand how it’s not a security vulnerability. It’s a heap buffer overflow that’s triggerable by things like RSA signatures, which can easily happen in remote contexts (e.g. a TLS handshake).” It seems like users will have to wait for the OpenSSL 3.0.5 release for the fix.