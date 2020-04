A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win – it snared an exploitable flaw in OpenSSL.

Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the OpenSSL team. It is possible to crash a server or application that uses a vulnerable build of OpenSSL by sending specially crafted messages while setting up a TLS 1.3 connection.

This means it's possible to disrupt or knock offline HTTPS websites that use a vulnerable version of the crypto library, by sending a prod-of-death. It can also be used by rogue servers to crash web browsers and other apps connecting in.

OpenSSL is a software library widely used to provide encrypted connections across networks and the internet. Here's the technical description from the OpenSSL maintainers of the flaw: