OpenSSL has patched one High risk vulnerability CVE-2022-0778 in certain OpenSSL versions. As a result, a bad actor could cause an Infinite loop in the BN_mod_sqrt() function that could result in a denial of service (DoS) condition.
The BN_mod_sqrt() function, which computes a modular square root, contains a vulnerability CVE-2022-0778 that can cause the function to loop forever for non-prime moduli.
“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters,” OpenSSL wrote in the advisory.
“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.”
There was no CVSS score assigned to the vulnerability at the time of the advisory, but OpenSSL rated the issue High severity.