The most serious of the bugs, a type confusion issue tracked as CVE-2023-0286, may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or launch denial-of-service exploits.
The OpenSSL maintainers slapped a high-severity rating on the flaw but notes that the vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
Organizations running OpenSSL versions 3.0, 1.1.1 and 1.0.2 are urged to apply available upgrades immediately.
