A critical use-after-free vulnerability in the OpenSSL library during the processing of signed messages poses a significant risk of remote code execution for affected applications.

The vulnerability exists in the PKCS7_verify() function, where an empty ASN.1 SET in the digestAlgorithms field causes the library to incorrectly free a caller-owned BIO. Subsequent use of this object results in a use-after-free condition that can lead to memory corruption or arbitrary code execution.

With a CVSS score of 9.8, this vulnerability is critical for applications that process PKCS#7 or S/MIME signed messages. Exploitation could allow an attacker to crash applications or gain control over the process, leading to a compromise of the application's data and potential unauthorized access.

Immediate Action: Update the OpenSSL library to the latest patched version provided by the vendor or your software maintainer.

Proactive Monitoring: Review application logs for crashes involving cryptographic processing modules and monitor for memory-related anomalies in services that handle signed email or document messages.

Compensating Controls: Where patching is delayed, implement strict input validation on signed messages to reject malformed ASN.1 structures before they reach the OpenSSL verification process.

Public Exploit Available: Unknown

Given the ubiquity of OpenSSL, this vulnerability requires immediate attention. Organizations must identify systems utilizing OpenSSL for PKCS#7 or S/MIME processing and prioritize the application of security patches to mitigate the risk of memory corruption and code execution.