CVE-2025-69418

{"id": "CVE-2025-69418", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.4}]}, "published": "2026-01-27T16:16:33.253", "references": [{"url": "https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://openssl-library.org/news/secadv/20260127.txt", "tags": ["Vendor Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "openssl-security@openssl.org", "description": [{"lang": "en", "value": "CWE-325"}]}], "descriptions": [{"lang": "en", "value": "Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue."}, {"lang": "es", "value": "Resumen del problema: Al usar la API OCB de bajo nivel directamente con AES-NI u otras rutas de c\u00f3digo aceleradas por hardware, las entradas cuya longitud no es un m\u00faltiplo de 16 bytes pueden dejar el bloque parcial final sin cifrar y sin autenticar.\nResumen del impacto: Los \u00faltimos 1-15 bytes de un mensaje pueden quedar expuestos en texto claro durante el cifrado y no est\u00e1n cubiertos por la etiqueta de autenticaci\u00f3n, lo que permite a un atacante leer o manipular esos bytes sin ser detectado. Las rutinas de cifrado y descifrado OCB de bajo nivel en la ruta de flujo acelerada por hardware procesan bloques completos de 16 bytes, pero no avanzan los punteros de entrada/salida. El c\u00f3digo posterior de manejo de la cola opera entonces sobre los punteros base originales, reprocesando efectivamente el inicio del b\u00fafer mientras deja los bytes finales reales sin procesar. La suma de verificaci\u00f3n de autenticaci\u00f3n tambi\u00e9n excluye los verdaderos bytes de la cola. Sin embargo, los consumidores t\u00edpicos de OpenSSL que usan EVP no se ven afectados porque las implementaciones OCB de EVP y del proveedor de nivel superior dividen las entradas de modo que los bloques completos y los bloques parciales finales se procesan en llamadas separadas, evitando la ruta de c\u00f3digo problem\u00e1tica. Adem\u00e1s, TLS no utiliza conjuntos de cifrado OCB. La vulnerabilidad solo afecta a las aplicaciones que llaman directamente a las funciones de bajo nivel CRYPTO_ocb128_encrypt() o CRYPTO_ocb128_decrypt() con longitudes no alineadas a bloques en una sola llamada en compilaciones aceleradas por hardware. Por estas razones, el problema se evalu\u00f3 como de baja severidad. Los m\u00f3dulos FIPS en 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 y 3.0 no se ven afectados por este problema, ya que el modo OCB no es un algoritmo aprobado por FIPS. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 y 1.1.1 son vulnerables a este problema. OpenSSL 1.0.2 no se ve afectado por este problema."}], "lastModified": "2026-05-12T13:17:24.297", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E000B986-6A31-468F-9EA3-B9D16DB16FB2", "versionEndExcluding": "1.1.1ze", "versionStartIncluding": "1.1.1"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C76C5F55-5243-4461-82F5-2FEBFF4D59FA", "versionEndExcluding": "3.0.19", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5292E9E-6B50-409F-9219-7B0A04047AD8", "versionEndExcluding": "3.3.6", "versionStartIncluding": "3.3.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9D3DCAE-317D-4DFB-93F0-7A235A229619", "versionEndExcluding": "3.4.4", "versionStartIncluding": "3.4.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CAC7CBE-EC03-4089-938A-0CEEB2E09B62", "versionEndExcluding": "3.5.5", "versionStartIncluding": "3.5.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68352537-5E99-4F4D-B78A-BCF0353A70A5", "versionEndExcluding": "3.6.1", "versionStartIncluding": "3.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "openssl-security@openssl.org"}