CVE-2022-3996
X.509 Policy Constraints Double LockingIf an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.
We have discovered 16,092 live websites that are affected by CVE-2022-3996.
Affected Software
| Product |  OpenSSL |
| Category | Web Server Extensions |
| Vulnerable Domains | 16,092 live websites (2.40% of OpenSSL install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 7 versions ( 17.50% of all versions) |
Common Weakness Enumeration
CWE-667 Improper LockingDetails
- Published - Dec 13, 2022
- Updated - Aug 3, 2024
Credits
- Polar Bear (finder)
- Paul Dale (remediation developer)
CWE
CVE References
CWE References
CVE-2022-3996 usage by Country
 United States | 3,623 websites |
 France | 2,345 websites |
 Germany | 1,486 websites |
 Japan | 1,317 websites |
 Canada | 848 websites |
 GB | 774 websites |
 Finland | 688 websites |
 Netherlands | 523 websites |
 Italy | 404 websites |
 Hungary | 397 websites |
CVE-2022-3996 usage by TLD
| .com | 5,684 websites |
| .org | 685 websites |
| .edu | 652 websites |
| .net | 643 websites |
| .ca | 638 websites |
| .fi | 534 websites |
| .jp | 534 websites |
| .fr | 489 websites |
| .de | 439 websites |
| .co.uk | 422 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2022-3996
Top websites that are affected by CVE-2022-3996. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.com | United States | *,*** | |
| ***.edu | United States | **,*** | |
| ******.org |  Singapore | **,*** | |
| ********.org | France | **,*** | |
| ********.com | United States | **,*** | |
| *******.net | Japan | **,*** | |
| ******.****.edu | United States | **,*** | |
| ************************.com | United States | **,*** | |
| ***.com | United States | **,*** | |
| ******.com | United States | **,*** |
FAQ
CVE-2022-3996 is Improper Locking in OpenSSL
A total of 16,092 websites have been identified as vulnerable to CVE-2022-3996, discovered through global website indexing conducted by WebTechSurvey.
OpenSSL is susceptible to CVE-2022-3996 vulnerability.
OpenSSL versions before, and including, 3.0.7 are vulnerable to CVE-2022-3996.