CVE-2025-69418

MEDIUM EPSS 1.8%
Published Jan 27, 20265mo ago · Modified Jun 17, 20261w ago
4.0 CVSS 3.1
Medium
Find Similar
Published Jan 27, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

CVSS Details

Base Score
4.0
Exploitability
1.4
Impact
2.5
Vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Local
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
1.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-325

Affected Products 6

VendorProductVersionRange
opensslopenssl*≥1.1.1  –  <1.1.1ze
opensslopenssl*≥3.0.0  –  <3.0.19
opensslopenssl*≥3.3.0  –  <3.3.6
opensslopenssl*≥3.4.0  –  <3.4.4
opensslopenssl*≥3.5.0  –  <3.5.5
opensslopenssl*≥3.6.0  –  <3.6.1

References 7

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • github.com https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc
    Patch
  • github.com https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8
    Patch
  • github.com https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347
    Patch
  • github.com https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae
    Patch
  • github.com https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977
    Patch
  • openssl-library.org https://openssl-library.org/news/secadv/20260127.txt
    Vendor Advisory

Remediation

  • github.com https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc
    Patch
  • github.com https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8
    Patch
  • github.com https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347
    Patch
  • github.com https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae
    Patch
  • github.com https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977
    Patch