SB2025100119 - Multiple vulnerabilities in OpenSSL

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025100119

SB2025100119 - Multiple vulnerabilities in OpenSSL

Published: October 1, 2025

Security Bulletin ID SB2025100119
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2025-9230)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when trying to decrypt CMS messages encrypted using password based encryption. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.

Successful exploitation of the vulnerability requires that password based (PWRI) encryption support in CMS messages is enabled. 


2) Covert Timing Channel (CVE-ID: CVE-2025-9231)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to timing side-channel in SM2 signature computations on 64 bit ARM platforms. A remote attacker can recover the private key and decrypt data.


3) Out-of-bounds read (CVE-ID: CVE-2025-9232)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in OpenSSL HTTP client API functions if the "no_proxy" environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References