CVE-2021-23841

The OpenSSL public API function X509_issuer_and_serial_hash() attempts tocreate a unique hash value based on the issuer and serial number data containedwithin an X509 certificate. However it fails to correctly handle any errorsthat may occur while parsing the issuer field (which might occur if the issuerfield is maliciously constructed). This may subsequently result in a NULLpointer deref and a crash leading to a potential denial of service attack.

The function X509_issuer_and_serial_hash() is never directly called by OpenSSLitself so applications are only vulnerable if they use this function directlyand they use it on certificates that may have been obtained from untrustedsources.