free the bit string
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 13f57e8..57e6146 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -229,6 +229,9 @@
bit_string = self._backend._lib.X509V3_EXT_d2i(ext)
assert bit_string != self._backend._ffi.NULL
bit_string = self._backend._ffi.cast("ASN1_BIT_STRING *", bit_string)
+ bit_string = self._backend._ffi.gc(
+ bit_string, self._backend._lib.ASN1_BIT_STRING_free
+ )
get_bit = self._backend._lib.ASN1_BIT_STRING_get_bit
digital_signature = get_bit(bit_string, 0) == 1
content_commitment = get_bit(bit_string, 1) == 1
diff --git a/src/cryptography/hazmat/bindings/openssl/asn1.py b/src/cryptography/hazmat/bindings/openssl/asn1.py
index 45dfe75..475bd05 100644
--- a/src/cryptography/hazmat/bindings/openssl/asn1.py
+++ b/src/cryptography/hazmat/bindings/openssl/asn1.py
@@ -120,6 +120,7 @@
"""
MACROS = """
+void ASN1_BIT_STRING_free(ASN1_BIT_STRING *);
/* This is not a macro, but is const on some versions of OpenSSL */
int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *, int);
ASN1_TIME *M_ASN1_TIME_dup(void *);