How severe is CVE-2025-24898?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-24898?

This is classified as CWE-416, which is a common weakness in software security.

CVE-2025-24898

MEDIUM Year: 2025

Weakness Type

CWE-416

View all →

Vulnerability Description

rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. The crate`openssl` version 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers. Users are advised to upgrade. In standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback.

CVE-2016-6082

CRITICAL

CVSS:10.0(Critical)

IBM BigFix Platform could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free race condition. An attacker could exploit this vulnerability to execute arbitrary ...

CWE-4162016

CVE-2009-3616

CRITICAL

CVSS:9.9(Critical)

Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VN...

CWE-4162009

CVE-2008-5038

CRITICAL

CVSS:9.8(Critical)

Use-after-free vulnerability in the NetWare Core Protocol (NCP) feature in Novell eDirectory 8.7.3 SP10 before 8.7.3 SP10 FTF1 and 8.8 SP2 for Windows allows remote attackers to cause a denial of serv...

CWE-4162008

CVE-2010-2941

CRITICAL

CVSS:9.8(Critical)

ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with invalid string data types, which allows remote attackers to cause a denial of service (use-after-fr...

CWE-4162010

CVE-2010-4197

CRITICAL

CVSS:9.8(Critical)

Use-after-free vulnerability in WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before 1.2.6, and other products, allows remote attackers to cause a denial of service or possibly have un...

CWE-4162010

CVE-2010-4201

CRITICAL

CVSS:9.8(Critical)

Use-after-free vulnerability in Google Chrome before 7.0.517.44 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving text control select...

CWE-4162010

CVE-2025-24898

Vulnerability Description

Related Vulnerabilities

CVE-2016-6082

CVE-2009-3616

CVE-2008-5038

CVE-2010-2941

CVE-2010-4197

CVE-2010-4201