NULL Pointer Dereference Affecting openssl-devel package, versions <1:3.5.5-1.amzn2023.0.5


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.68% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2023-OPENSSLDEVEL-17415177
  • published23 Jun 2026
  • disclosed9 Jun 2026

Introduced: 9 Jun 2026

NewCVE-2026-42764  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 openssl-devel to version 1:3.5.5-1.amzn2023.0.5 or higher.
This issue was patched in ALAS2023-2026-1853.

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-devel package and not the openssl-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled.

Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service.

If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token.

By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

CVSS Base Scores

version 3.1