Cyber Resilience

CVE-2024-6119

HighUpdated

Published: 03 September 2024

Published
03 September 2024
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1426 94.6th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6119 is a high-severity Type Confusion (CWE-843) vulnerability in Openssl Openssl. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-6119 is a memory-safety flaw in OpenSSL that affects certificate name checking logic used by TLS clients and other applications validating X.509 certificates. When an application compares an expected DNS name, email address, or IP address against an otherName subject alternative name in a presented certificate, it may dereference an invalid memory address and terminate. Basic chain validation (signatures, validity periods, etc.) is unaffected; the issue is limited to the name-matching step. The FIPS modules in OpenSSL 3.3, 3.2, 3.1, and 3.0 are not impacted.

An unauthenticated remote attacker can trigger the flaw by supplying a malicious certificate containing a crafted otherName SAN during a TLS handshake or similar certificate-validation operation. Successful exploitation produces only a denial of service through abnormal process termination; no confidentiality or integrity impact is possible. TLS servers are rarely affected because they seldom perform reference-identifier name checks on client certificates.

Upstream fixes are available in the commits referenced in the OpenSSL security advisory of 3 September 2024. The CVSS 7.5 score reflects a network-reachable availability impact with low attack complexity. EPSS remains modest (current 0.1426, peak 0.1458) with no pronounced post-disclosure increase.

EU & UK References

Vulnerability details

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a…

more

denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openssl
openssl
3.0.0 — 3.0.15 · 3.1.0 — 3.1.7 · 3.2.0 — 3.2.3
netapp
active iq unified manager
all versions
netapp
management services for element software and netapp hci
all versions
netapp
ontap 9
all versions
netapp
ontap select deploy administration utility
all versions
netapp
ontap tools
9
netapp
brocade fabric operating system
all versions
netapp
h300s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
+9 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References