Resource Management Errors Affecting openssl package, versions [0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
11.57% (94th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CONAN-OPENSSL-10078032
  • published8 May 2025
  • disclosed17 Aug 2010
  • creditUnknown

Introduced: 17 Aug 2010

CVE-2010-2939  (opens in a new tab)
CWE-399  (opens in a new tab)

How to fix?

There is no fixed version for openssl.

Overview

Affected versions of this package are vulnerable to Resource Management Errors. Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue.

References

CVSS Base Scores

version 3.1