CRITICALCVE-2018-20997CVSS 9.8

CVE-2018-20997: Use-After-Free in OpenSSL Crate

Platform

openssl

Component

openssl

Fixed in

0.10.9

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026

View on NVD

Save

CVE-2018-20997 describes a critical Use-After-Free vulnerability discovered in the OpenSSL crate. This flaw allows attackers to potentially execute arbitrary code by exploiting memory corruption issues. The vulnerability affects versions of the crate prior to 0.10.9. A fix has been released in version 0.10.9.

Impact and Attack Scenarios

The Use-After-Free vulnerability in OpenSSL crate allows an attacker to access or modify memory that has already been freed. This can lead to a variety of consequences, including denial of service, arbitrary code execution, and information disclosure. An attacker could potentially craft malicious inputs that trigger the vulnerability, leading to complete system compromise. The severity of this vulnerability is heightened by the widespread use of OpenSSL in various applications and systems, making it a high-priority target for attackers.

Exploitation Context

CVE-2018-20997 was publicly disclosed on June 1, 2018. While no active exploitation campaigns have been definitively linked to this specific CVE, Use-After-Free vulnerabilities are frequently targeted by attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits may exist or emerge, increasing the risk of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.50% (66% percentile)

CVSS Vector

Affected Software

Componentopenssl

Vendorosv

Affected rangeFixed in

0.10.80.10.9

Timeline

Published2018-06-01
Modified2023-11-08
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2018-20997 is to upgrade to OpenSSL crate version 0.10.9 or later. If upgrading is not immediately feasible, consider implementing runtime memory safety checks or using a memory-safe alternative crate. While not a complete solution, carefully reviewing code that interacts with OpenSSL and avoiding potentially unsafe operations can reduce the attack surface. After upgrading, confirm the fix by running tests that exercise the vulnerable code paths and verifying that no crashes or unexpected behavior occurs.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2018-20997 — Use-After-Free in OpenSSL Crate?

CVE-2018-20997 is a critical vulnerability in the OpenSSL crate where memory is accessed after it has been freed, potentially leading to code execution.

Am I affected by CVE-2018-20997 in OpenSSL Crate?

You are affected if you are using the OpenSSL crate versions prior to 0.10.9. Check your project dependencies to determine if you are vulnerable.

How do I fix CVE-2018-20997 in OpenSSL Crate?

Upgrade to OpenSSL crate version 0.10.9 or later to resolve this vulnerability. Ensure all dependent libraries are also updated.

Is CVE-2018-20997 being actively exploited?

While no confirmed active exploitation campaigns are publicly known, Use-After-Free vulnerabilities are frequently targeted, so vigilance is advised.

Where can I find the official OpenSSL advisory for CVE-2018-20997?

Refer to the OpenSSL project's security advisories and release notes for details: https://www.openssl.org/news/security/