CVE Vulnerabilities

CVE-2017-3730

NULL Pointer Dereference

Published: May 04, 2017 | Modified: Apr 20, 2025
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
5.9 MODERATE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.

Weakness

The product dereferences a pointer that it expects to be valid but is NULL.

Affected Software

Name Vendor Start Version End Version
Openssl Openssl 1.1.0 (including) 1.1.0 (including)
Openssl Openssl 1.1.0a (including) 1.1.0a (including)
Openssl Openssl 1.1.0b (including) 1.1.0b (including)
Openssl Openssl 1.1.0c (including) 1.1.0c (including)

Potential Mitigations

References