TLS certificates can be used to execute arbitrary code – Opera Security Advisories


Highly Severe

Problem Description

When connecting to a TLS-protected website, Opera parses the X.509 certificate. If a site uses a specially crafted Subject Alternative Name in the certificate, it can cause Opera to crash. To inject code, additional means will have to be employed.

Opera’s Response

Opera Software has released Opera 9.25, where this issue has been fixed.


Thanks to Alexander Klink, Cynops GmbH for reporting this issue to Opera Software.