[LawnGnome]

Certificates, which makes this pretty nasty, because it implies that there's a potential RCE if you can trigger any sort of certificate parsing remotely. (Would sending a TLS client certificate when initiating a HTTPS request do this out of the box?)

[NovemberWhiskey]

Only if the server side accepted a client certificate during the handshake, and then either that certificate had a trust path to a root CA trusted by the server OR the server was not performing trust path validation. I think it's pretty nichey.

[slt2021]

I was not able to find whether openssh can be exploited with this CVE by presenting malicious client auth certificate.

would be glad if someone could clarify whether openssh has this vulnerability?

[formerly_proven]

OpenSSH doesn't support X.509 certificates.

[xorcist]

Nor does it call any SSL-related function.

OpenSSH only links to OpenSSL for the cryptographic primitives. SSH and SSL are different protocols.