| 1.1.1.1 |
| 27-Jan-2026 |
christos | Import OpenSSL-3.5.5 (previous was 3.5.1)
Changes between 3.5.4 and 3.5.5 [27 Jan 2026]
Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
Severity: Moderate
Issue summary: PBMAC1 parameters in PKCS#12 files are missing
validation which can trigger a stack-based buffer overflow, invalid
pointer or NULL pointer dereference during MAC verification.
Impact summary: The stack buffer overflow or NULL pointer dereference
may cause a crash leading to Denial of Service for an application
that parses untrusted PKCS#12 files. The buffer overflow may also
potentially enable code execution depending on platform mitigations.
Reported by: Stanislav Fort (Aisle Research) and Petr #ime#ek (Aisle
Research) and Hamza (Metadust)
(CVE-2025-11187)
Tom�# Mr�z
Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.
Severity: High
Issue summary: Parsing CMS AuthEnvelopedData message with maliciously
crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing
Denial of Service, or potentially remote code execution.
Reported by: Stanislav Fort (Aisle Research)
(CVE-2025-15467)
Igor Ustinov
Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
Severity: Low
Issue summary: If an application using the SSL_CIPHER_find() function
in a QUIC protocol client or server receives an unknown cipher
suite from the peer, a NULL dereference occurs.
Impact summary: A NULL pointer dereference leads to abnormal
termination of the running process causing Denial of Service.
Reported by: Stanislav Fort (Aisle Research)
(CVE-2025-15468)
Stanislav Fort
Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.
Severity: Low
Issue summary: The openssl dgst command-line tool silently truncates
input data to 16 MiB when using one-shot signing algorithms and
reports success instead of an error.
Impact summary: A user signing or verifying files larger than 16
MiB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA)
may believe the entire file is authenticated while trailing data
beyond 16 MiB remains unauthenticated.
Reported by: Stanislav Fort (Aisle Research)
(CVE-2025-15469)
Viktor Dukhovni
Fixed TLS 1.3 CompressedCertificate excessive memory allocation.
Severity: Low
Issue summary: A TLS 1.3 connection using certificate compression
can be forced to allocate a large buffer before decompression
without checking against the configured certificate size limit.
Impact summary: An attacker can cause per-connection memory
allocations of up to approximately 22 MiB and extra CPU work,
potentially leading to service degradation or resource exhaustion
(Denial of Service).
Reported by: Tomas Dulka (Aisle Research) and Stanislav Fort (Aisle Research)
(CVE-2025-66199)
Tomas Dulka and Stanislav Fort
Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.
Severity: Low
Issue summary: Writing large, newline-free data into a BIO chain
using the line-buffering filter where the next BIO performs short
writes can trigger a heap-based out-of-bounds write.
Impact summary: This out-of-bounds write can cause memory corruption
which typically results in a crash, leading to Denial of Service
for an application.
Reported by: Petr Simecek (Aisle Research) and Stanislav Fort (Aisle Research)
(CVE-2025-68160)
Stanislav Fort and Neil Horman
Fixed Unauthenticated/unencrypted trailing bytes with low-level
OCB function calls.
Severity: Low
Issue summary: When using the low-level OCB API directly with AES-NI
or other hardware-accelerated code paths, inputs whose length is
not a multiple of 16 bytes can leave the final partial block
unencrypted and unauthenticated.
Impact summary: The trailing 1-15 bytes of a message may be exposed
in cleartext on encryption and are not covered by the authentication
tag, allowing an attacker to read or tamper with those bytes without
detection.
Reported by: Stanislav Fort (Aisle Research)
(CVE-2025-69418)
Stanislav Fort
Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
Severity: Low
Issue summary: Calling PKCS12_get_friendlyname() function on a
maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly
name containing non-ASCII BMP code point can trigger a one byte
write before the allocated buffer.
Impact summary: The out-of-bounds write can cause a memory corruption
which can have various consequences including a Denial of Service.
Reported by: Stanislav Fort (Aisle Research)
(CVE-2025-69419)
Norbert P�cs
Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response() function.
Severity: Low
Issue summary: A type confusion vulnerability exists in the TimeStamp
Response verification code where an ASN1_TYPE union member is
accessed without first validating the type, causing an invalid or
NULL pointer dereference when processing a malformed TimeStamp
Response file.
Impact summary: An application calling TS_RESP_verify_response()
with a malformed TimeStamp Response can be caused to dereference
an invalid or NULL pointer when reading, resulting in a Denial of
Service.
Reported by: Luigino Camastra (Aisle Research)
(CVE-2025-69420)
Bob Beck
Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.
Severity: Low
Issue summary: Processing a malformed PKCS#12 file can trigger a
NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex()
function.
Impact summary: A NULL pointer dereference can trigger a crash
which leads to Denial of Service for an application processing
PKCS#12 files.
Reported by: Luigino Camastra (Aisle Research)
(CVE-2025-69421)
Luigino Camastra
Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.
Severity: Low
Issue summary: An invalid or NULL pointer dereference can happen
in an application processing a malformed PKCS#12 file.
Impact summary: An application processing a malformed PKCS#12 file
can be caused to dereference an invalid or NULL pointer on memory
read, resulting in a Denial of Service.
Reported by: Luigino Camastra (Aisle Research)
(CVE-2026-22795)
Bob Beck
Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function.
Severity: Low
Issue summary: A type confusion vulnerability exists in the signature
verification of signed PKCS#7 data where an ASN1_TYPE union member
is accessed without first validating the type, causing an invalid
or NULL pointer dereference when processing malformed PKCS#7 data.
Impact summary: An application performing signature verification
of PKCS#7 data or calling directly the PKCS7_digest_from_attributes()
function can be caused to dereference an invalid or NULL pointer
when reading, resulting in a Denial of Service.
Reported by: Luigino Camastra (Aisle Research)
(CVE-2026-22796)
Bob Beck
RISC-V capabilities string format has changed to include the base
architecture and the vector length for the V extension.
Bernd Edlinger
Fixed incorrect acceptance of some malformed ECDSA signatures on s390x.
Holger Dengler
Source code has been reformatted with clang-format.
Bob Beck
Changes between 3.5.3 and 3.5.4 [30 Sep 2025]
Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
Issue summary: An application trying to decrypt CMS messages
encrypted using password based encryption can trigger an out-of-bounds
read and write.
Impact summary: This out-of-bounds read may trigger a crash which
leads to Denial of Service for an application. The out-of-bounds
write can cause a memory corruption which can have various consequences
including a Denial of Service or Execution of attacker-supplied
code.
The issue was reported by Stanislav Fort (Aisle Research).
(CVE-2025-9230)
Viktor Dukhovni
Fix Timing side-channel in SM2 algorithm on 64 bit ARM
Issue summary: A timing side-channel which could potentially allow
remote recovery of the private key exists in the SM2 algorithm
implementation on 64 bit ARM platforms.
Impact summary: A timing side-channel in SM2 signature computations
on 64 bit ARM platforms could allow recovering the private key by
an attacker.
The issue was reported by Stanislav Fort (Aisle Research).
(CVE-2025-9231)
Stanislav Fort and Tom�# Mr�z
Fix Out-of-bounds read in HTTP client no_proxy handling
Issue summary: An application using the OpenSSL HTTP client API
functions may trigger an out-of-bounds read if the "no_proxy"
environment variable is set and the host portion of the authority
component of the HTTP URL is an IPv6 address.
Impact summary: An out-of-bounds read can trigger a crash which
leads to Denial of Service for an application.
The issue was reported by Stanislav Fort (Aisle Research).
(CVE-2025-9232)
Stanislav Fort
The FIPS provider no longer performs a PCT on key import for ECX
keys (that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
Eugene Syromiatnikov
Fixed the length of the ASN.1 sequence for the SM3 digests of
RSA-encrypted signatures.
Xiao Lou Dong Feng
Reverted the synthesised OPENSSL_VERSION_NUMBER change for the
release builds, as it broke some exiting applications that relied
on the previous 3.x semantics, as documented in OpenSSL_version(3).
Richard Levitte
Changes between 3.5.2 and 3.5.3 [16 Sep 2025]
Avoided a potential race condition introduced in 3.5.1, where
OSSL_STORE_CTX kept open during lookup while potentially being used
by multiple threads simultaneously, that could lead to potential
crashes when multiple concurrent TLS connections are served.
Matt Caswell
The FIPS provider no longer performs a PCT on key import for RSA,
DH, and EC keys (that was introduced in 3.5.2), following the latest
update on that requirement in FIPS 140-3 IG 10.3.A additional
comment 1.
Dr Paul Dale
Secure memory allocation calls are no longer used for HMAC keys.
Dr Paul Dale
openssl req no longer generates certificates with an empty extension
list when SKID/AKID are set to none during generation.
David Benjamin
The man page date is now derived from the release date provided in
VERSION.dat and not the current date for the released builds.
Enji Cooper
Hardened the provider implementation of the RSA public key "encrypt"
operation to add a missing check that the caller-indicated output
buffer size is at least as large as the byte count of the RSA
modulus. The issue was reported by Arash Ale Ebrahim from SYSPWN.
This operation is typically invoked via EVP_PKEY_encrypt(3). Callers
that in fact provide a sufficiently large buffer, but fail to
correctly indicate its size may now encounter unexpected errors.
In applications that attempt RSA public encryption into a buffer
that is too small, an out-of-bounds write is now avoided and an
error is reported instead.
Viktor Dukhovni
Added FIPS 140-3 PCT on DH key generation.
Nikola Pajkovsky
Fixed the synthesised OPENSSL_VERSION_NUMBER.
Richard Levitte
Changes between 3.5.1 and 3.5.2 [5 Aug 2025]
The FIPS provider now performs a PCT on key import for RSA, EC and
ECX. This is mandated by FIPS 140-3 IG 10.3.A additional comment
1.
Dr Paul Dale
|
