The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).
CVE-2021-3450
This high-severity CVE scores 7.4 under NVD CVSS v3. EPSS exploit probability: 0.5%, top 34% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 7.4
- EG Score
- 7.4(medium)
- EPSS
- 96.9%
- KEV
- Not listed
Published
March 25, 2021
Last Modified
November 21, 2024
References (48)
- openssl-security@opensslhttp://www.openwall.com/lists/oss-security/2021/03/27/1
- openssl-security@opensslhttp://www.openwall.com/lists/oss-security/2021/03/27/2
- openssl-security@opensslhttp://www.openwall.com/lists/oss-security/2021/03/28/3
- openssl-security@opensslhttp://www.openwall.com/lists/oss-security/2021/03/28/4
- openssl-security@opensslhttps://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- openssl-security@opensslhttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
- openssl-security@opensslhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
- openssl-security@opensslhttps://kc.mcafee.com/corporate/index?page=content&id=SB10356
- openssl-security@opensslhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
- openssl-security@opensslhttps://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html
- openssl-security@opensslhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
- openssl-security@opensslhttps://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
- openssl-security@opensslhttps://security.gentoo.org/glsa/202103-03
- openssl-security@opensslhttps://security.netapp.com/advisory/ntap-20210326-0006/
- openssl-security@opensslhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
Patch Availability(7)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | jbcs-httpd24-openssl-pkcs11-0:0.4.10-20.jbcs.el7 | 2021-04-14 | redhat |
| redhat | openssl | 2021-04-14 | redhat |
| redhat | tomcat-native-0:1.2.23-24.redhat_24.ep7.el7 | 2021-04-14 | redhat |
| redhat | patch | 2021-04-14 | redhat |
| redhat | jws5-tomcat-native-0:1.2.25-4.redhat_4.el8jws | 2021-04-14 | redhat |
| redhat | redhat-virtualization-host-0:4.4.5-20210330.0.el8_3 | 2021-04-14 | redhat |
| redhat | openssl-1:1.1.1g-15.el8_3 | 2021-03-30 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
crates.io(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| openssl-src | — | 111.15.0 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
All Vendor Advisories
(9)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
- Microsoft MSRCCVE-2021-34502021-10-12
OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT
- Red HatRHSA-2021:1024IMPORTANT2021-03-25
RHSA-2021:1024 — Important
- Red HatRHSA-2021:1189IMPORTANT2021-03-25
RHSA-2021:1189 — Important
- Red HatRHSA-2021:1195IMPORTANT2021-03-25
RHSA-2021:1195 — Important
- Red HatRHSA-2021:1196IMPORTANT2021-03-25
RHSA-2021:1196 — Important
- Red HatRHSA-2021:1199IMPORTANT2021-03-25
RHSA-2021:1199 — Important
- Red HatRHSA-2021:1200IMPORTANT2021-03-25
RHSA-2021:1200 — Important
- Red HatRHSA-2021:1202IMPORTANT2021-03-25
RHSA-2021:1202 — Important
- Red HatRHSA-2021:1203IMPORTANT2021-03-25
RHSA-2021:1203 — Important
Data Freshness Timeline
(refreshed 7× in last 7d / 42× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-09 19:07 UTCEPSS rescore
- 2026-07-08 15:12 UTCEPSS rescore
- 2026-07-07 13:43 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-06 16:25 UTCEPSS rescore
- 2026-07-02 16:57 UTCEPSS rescore
- 2026-07-01 15:04 UTCEPSS rescore
- 2026-07-01 06:48 UTCOSV refresh
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-28 14:05 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
Show 54 moreShow fewer
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-19 19:24 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-18 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 10:43 UTCOSV refresh
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-07 15:23 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-06 13:46 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 19:12 UTCEG score recompute
- 2026-05-26 19:12 UTCVendor advisory
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-25 10:46 UTCOSV refresh
Frequently asked(5)
What is CVE-2021-3450?
When was CVE-2021-3450 disclosed?
Is CVE-2021-3450 actively exploited?
What is the CVSS score of CVE-2021-3450?
How do I remediate CVE-2021-3450?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-3450
Is Your Infrastructure Affected by CVE-2021-3450?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.