CVE Vulnerabilities

CVE-2025-24898

Use After Free

Published: Feb 03, 2025 | Modified: Feb 11, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
4.8 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Ubuntu
MEDIUM

rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions ssl::select_next_proto can return a slice pointing into the server arguments buffer but with a lifetime bound to the client argument. In situations where the sever buffers lifetime is shorter than the client buffers, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. The crateopenssl version 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffers lifetime to that of both input buffers. Users are advised to upgrade. In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback.

Weakness

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.

Affected Software

Name Vendor Start Version End Version
Red Hat Enterprise Linux 9 RedHat rpm-ostree-0:2025.5-1.el9 *
Red Hat Enterprise Linux 9 RedHat bootc-0:1.1.6-3.el9_6 *
Red Hat Enterprise Linux 9 RedHat rust-bootupd-0:0.2.27-3.el9 *
Red Hat Enterprise Linux 9 RedHat keylime-agent-rust-0:0.2.2-2.el9 *
Red Hat Enterprise Linux 9 RedHat python3.12-cryptography-0:41.0.7-2.el9 *
Rust-openssl Ubuntu focal *
Rust-openssl Ubuntu oracular *
Rust-openssl-sys Ubuntu focal *
Rust-openssl-sys Ubuntu oracular *

Potential Mitigations

References