{"id":"CVE-2021-23841","details":"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","aliases":["GHSA-84rm-qf37-fgc2","RUSTSEC-2021-0058"],"modified":"2026-04-16T04:30:50.971793832Z","published":"2021-02-16T17:15:13.377Z","related":["ALSA-2021:4198","SUSE-FU-2022:0445-1","SUSE-SU-2021:0725-1","SUSE-SU-2021:0752-1","SUSE-SU-2021:0753-1","SUSE-SU-2021:0754-1","SUSE-SU-2021:0755-1","SUSE-SU-2021:0769-1","SUSE-SU-2021:0793-1","SUSE-SU-2021:0939-1","SUSE-SU-2021:14667-1","SUSE-SU-2021:14670-1","openSUSE-SU-2021:0427-1","openSUSE-SU-2021:0430-1","openSUSE-SU-2024:11126-1","openSUSE-SU-2024:11127-1"],"references":[{"type":"WEB","url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=122a19ab48091c657f7cb1fb3af9fc07bd557bbf"},{"type":"WEB","url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2021/May/67"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2021/May/70"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT212529"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4855"},{"type":"ADVISORY","url":"https://www.openssl.org/news/secadv/20210216.txt"},{"type":"ADVISORY","url":"https://www.tenable.com/security/tns-2021-09"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210219-0009/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240621-0006/"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT212534"},{"type":"ADVISORY","url":"https://www.tenable.com/security/tns-2021-03"},{"type":"ADVISORY","url":"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202103-03"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210513-0002/"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT212528"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2021/May/68"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graalvm/graalvm-ce-builds","events":[{"introduced":"0"},{"last_affected":"771d7a8d2b73cf72a2622ca6305dcc9e9306f296"},{"introduced":"0"},{"last_affected":"251e15bf41dcc0c1b4e3debdb7d01f7082734ddd"},{"introduced":"0"},{"last_affected":"3c6e4c01b14bb666c14501160ba526442b051b5a"},{"introduced":"0"},{"last_affected":"2ada493c63db015cc41bca1021f0e567f51893c6"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"21.2"},{"introduced":"0"},{"last_affected":"19.3.5"},{"introduced":"0"},{"last_affected":"20.3.1.2"},{"introduced":"0"},{"last_affected":"21.0.0.2"}]}},{"type":"GIT","repo":"https://github.com/mysql/mysql-server","events":[{"introduced":"0"},{"last_affected":"b79ac1111737174c1b36ab5f63275f0191c000dc"},{"introduced":"0"},{"fixed":"7ed30a748964c009d4909cb8b4b22036ebdef239"},{"introduced":"0"},{"fixed":"e5d189ecb9465f4be6235109dd3dbcaab01ddc53"},{"introduced":"ca94b993454c86be248fbe180db94647488114e9"},{"fixed":"7ed30a748964c009d4909cb8b4b22036ebdef239"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"a9.4"},{"introduced":"0"},{"fixed":"8.0.23"},{"introduced":"0"},{"fixed":"5.7.33"},{"introduced":"8.0.15"},{"fixed":"8.0.23"}]}},{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"e818b74be2170fbe957a07b0da4401c2b694b3b8"},{"fixed":"e818b74be2170fbe957a07b0da4401c2b694b3b8"},{"introduced":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"fixed":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"introduced":"0"},{"fixed":"bf059c2efc4db5c09970fd3d2c392432b0ac6a12"},{"introduced":"0"},{"last_affected":"bf059c2efc4db5c09970fd3d2c392432b0ac6a12"},{"introduced":"0"},{"last_affected":"888759a1d38197f29de7227876c3b58fbff8549f"}],"database_specific":{"versions":[{"introduced":"1.0.2"},{"fixed":"1.0.2y"},{"introduced":"1.1.1"},{"fixed":"1.1.1j"},{"introduced":"0"},{"fixed":"1.0"},{"introduced":"0"},{"last_affected":"1.0-NA"},{"introduced":"0"},{"last_affected":"1.0-sp1"}]}}],"versions":["BEFORE_engine","BEN_FIPS_TEST_7","BEN_FIPS_TEST_8","FIPS_TEST_10","FIPS_TEST_9","OpenSSL_0_9_1c","OpenSSL_0_9_2b","OpenSSL_0_9_3","OpenSSL_0_9_3a","OpenSSL_0_9_3beta2","OpenSSL_0_9_4","OpenSSL_0_9_5a","OpenSSL_0_9_5a-beta1","OpenSSL_0_9_5a-beta2","OpenSSL_0_9_5beta1","OpenSSL_0_9_5beta2","OpenSSL_0_9_6-beta3","OpenSSL_0_9_7","OpenSSL_0_9_7-beta1","OpenSSL_0_9_7-beta2","OpenSSL_0_9_7-beta3","OpenSSL_0_9_7-beta4","OpenSSL_0_9_7-beta6","OpenSSL_0_9_7a","OpenSSL_0_9_7b","OpenSSL_0_9_7c","OpenSSL_0_9_7e","OpenSSL_0_9_7f","OpenSSL_0_9_7g","OpenSSL_0_9_7h","OpenSSL_0_9_7i","OpenSSL_1_0_1","OpenSSL_1_0_1-beta1","OpenSSL_1_0_1-beta2","OpenSSL_1_0_1-beta3","OpenSSL_1_0_1-post-auto-reformat","OpenSSL_1_0_1-post-reformat","OpenSSL_1_0_1-pre-auto-reformat","OpenSSL_1_0_1-pre-reformat","OpenSSL_1_0_1a","OpenSSL_1_0_1b","OpenSSL_1_0_1c","OpenSSL_1_0_1d","OpenSSL_1_0_1e","OpenSSL_1_0_1f","OpenSSL_1_0_1g","OpenSSL_1_0_1h","OpenSSL_1_0_1i","OpenSSL_1_0_1j","OpenSSL_1_0_1k","OpenSSL_1_0_1l","OpenSSL_1_0_1m","OpenSSL_1_0_1n","OpenSSL_1_0_1o","OpenSSL_1_0_1p","OpenSSL_1_0_1q","OpenSSL_1_0_1r","OpenSSL_1_0_1s","OpenSSL_1_0_1t","OpenSSL_1_0_1u","OpenSSL_1_0_2","OpenSSL_1_0_2-beta1","OpenSSL_1_0_2-beta2","OpenSSL_1_0_2-beta3","OpenSSL_1_0_2-post-auto-reformat","OpenSSL_1_0_2-post-reformat","OpenSSL_1_0_2-pre-auto-reformat","OpenSSL_1_0_2-pre-reformat","OpenSSL_1_0_2a","OpenSSL_1_0_2b","OpenSSL_1_0_2c","OpenSSL_1_0_2d","OpenSSL_1_0_2e","OpenSSL_1_0_2f","OpenSSL_1_0_2g","OpenSSL_1_0_2h","OpenSSL_1_0_2i","OpenSSL_1_0_2j","OpenSSL_1_0_2k","OpenSSL_1_0_2l","OpenSSL_1_0_2m","OpenSSL_1_0_2n","OpenSSL_1_0_2o","OpenSSL_1_0_2p","OpenSSL_1_0_2q","OpenSSL_1_0_2r","OpenSSL_1_0_2s","OpenSSL_1_0_2t","OpenSSL_1_1_0-pre1","OpenSSL_1_1_0-pre2","OpenSSL_1_1_0-pre3","OpenSSL_1_1_0-pre4","OpenSSL_1_1_0-pre5","OpenSSL_1_1_0-pre6","OpenSSL_1_1_1","OpenSSL_1_1_1-pre1","OpenSSL_1_1_1-pre2","OpenSSL_1_1_1-pre3","OpenSSL_1_1_1-pre4","OpenSSL_1_1_1-pre5","OpenSSL_1_1_1-pre6","OpenSSL_1_1_1-pre7","OpenSSL_1_1_1-pre8","OpenSSL_1_1_1-pre9","OpenSSL_1_1_1a","OpenSSL_1_1_1b","OpenSSL_1_1_1c","OpenSSL_1_1_1d","OpenSSL_1_1_1e","OpenSSL_1_1_1f","OpenSSL_1_1_1g","OpenSSL_1_1_1h","OpenSSL_1_1_1i","OpenSSL_1_1_1j","OpenSSL_1_1_1k","OpenSSL_1_1_1l","OpenSSL_1_1_1m","OpenSSL_1_1_1n","OpenSSL_1_1_1o","OpenSSL_1_1_1p","OpenSSL_1_1_1q","OpenSSL_1_1_1r","OpenSSL_1_1_1s","OpenSSL_1_1_1t","OpenSSL_1_1_1u","OpenSSL_1_1_1v","OpenSSL_FIPS_1_0","master-post-auto-reformat","master-post-reformat","master-pre-auto-reformat","master-pre-reformat","mysql-3.23.22-beta","mysql-3.23.28-gamma","mysql-3.23.30-gamma","mysql-3.23.31","mysql-3.23.32","mysql-3.23.33","mysql-3.23.36","mysql-4.0.2","mysql-4.0.4","mysql-5.1.4","mysql-5.7.31","mysql-5.7.32","mysql-9.0.0-release","mysql-9.4.0","mysql-cluster-9.4.0","vm-19.3.0","vm-19.3.0.2","vm-19.3.1","vm-19.3.2","vm-19.3.2-pre","vm-19.3.3","vm-19.3.4","vm-19.3.5","vm-20.0.0","vm-20.0.1","vm-20.1.0","vm-20.2.0","vm-20.3.0","vm-20.3.1","vm-20.3.1.2","vm-21.0.0","vm-21.0.0.2","vm-ce-21.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23841.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.11.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.12.1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.13.0"}]},{"events":[{"introduced":"5.13.0"},{"last_affected":"5.17.0"}]},{"events":[{"introduced":"0"},{"fixed":"14.1.1"}]},{"events":[{"introduced":"0"},{"fixed":"14.6"}]},{"events":[{"introduced":"0"},{"fixed":"14.6"}]},{"events":[{"introduced":"11.1"},{"fixed":"11.4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.5.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.9.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.57"}]},{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"0"},{"last_affected":"8.59"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]}],"vanir_signatures_modified":"2026-04-11T13:53:53Z","vanir_signatures":[{"target":{"file":"include/welcome_copyright_notice.h"},"signature_version":"v1","id":"CVE-2021-23841-a59356ae","signature_type":"Line","digest":{"line_hashes":["286756561296075042237231219649184368171","302896255058266923472696425836035569717","300297427993859605007554044173966498739","175565100923089660637647648328373853699","71802579880224164103266412744806334599","315666916814277685292192961936838231932","198092292660585766502869236426726266894","162640942130416387239939759911226756525"],"threshold":0.9},"source":"https://github.com/mysql/mysql-server/commit/e5d189ecb9465f4be6235109dd3dbcaab01ddc53","deprecated":false},{"target":{"file":"include/openssl/opensslv.h"},"signature_version":"v1","id":"CVE-2021-23841-c377fa22","source":"https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86","digest":{"line_hashes":["28170854778703993674264004058177114599","73132526844288570625317440636111911761","177405411499435185068645597737938634778","224809958623850711330610094965797758930","295554444428855106393106961197201359586"],"threshold":0.9},"signature_type":"Line","deprecated":false},{"target":{"file":"crypto/opensslv.h"},"signature_version":"v1","id":"CVE-2021-23841-e051451f","source":"https://github.com/openssl/openssl/commit/e818b74be2170fbe957a07b0da4401c2b694b3b8","digest":{"line_hashes":["251633914150035957322733061977107206211","338514574181828579838011565939158652696","76638288692106140328510055542557597351","142922657400765574308962710386922248045","71649992455794854055653842592139575350","65527166711110472566013424527579064967","253196866009476977787139000804413898733","172177136897997206866313011107384691461"],"threshold":0.9},"signature_type":"Line","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}