CVE-2025-3416: 
OpenSSL vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-3416) was discovered in OpenSSL's handling of the properties argument in certain functions. The vulnerability was discovered on April 4, 2025, affecting the rust-openssl library versions 0.10.39 through 0.10.71. The issue specifically impacts the Md::fetch and Cipher::fetch functions when handling properties arguments (RUSTSEC Advisory).

The vulnerability occurs when a Some(...) value is passed to the properties argument of either Md::fetch or Cipher::fetch functions, resulting in a use-after-free condition. The issue stems from improper validation of the existence of an object prior to performing operations on it. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

In practice, this use-after-free vulnerability most likely resulted in OpenSSL treating the properties argument as an empty string due to CString::drop's behavior. While the direct impact appears limited, use-after-free vulnerabilities can potentially lead to memory corruption, undefined behavior, or incorrect property parsing (RUSTSEC Advisory).

The vulnerability has been patched in rust-openssl version 0.10.72. Users are strongly advised to upgrade to this version or later. The fix involves modifying the property handling in both affected functions to properly manage the lifetime of the properties argument (GitHub PR).