OpenSSL 3.x Vulnerability Advisory: CVE-2025-9230/9231/9232 (OOB Read/Write/Timing Side-Channel)

Critical Vulnerability Information 1. Out-of-bounds read & write in RFC 3211 KEK Unwrap (CVE-2025-9230) Severity: Medium Issue Summary: Applications attempting to decrypt CMS messages encrypted with passwords may trigger out-of-bounds read and write operations. Impact Summary: Out-of-bounds read may cause application crashes, leading to denial of service. Out-of-bounds write may result in memory corruption, with various consequences including denial of service or potential data leakage. Affected Versions: OpenSSL versions 3.5, 3.4, 3.3, 3.2, 3.1, and 3.0. Remediation Recommendation: Upgrade to the latest version. 2. Timing side-channel in SM2 algorithm on 64 bit ARM (CVE-2025-9231) Severity: Medium Issue Summary: A timing side-channel exists in the SM2 algorithm implementation on 64-bit ARM platforms, potentially allowing remote private key recovery. Impact Summary: The timing side-channel in SM2 signature computations on 64-bit ARM platforms may enable attackers to recover private keys. Affected Versions: OpenSSL versions 3.5, 3.4, 3.3, 3.2, and 3.0. Remediation Recommendation: Upgrade to the latest version. 3. Out-of-bounds read in HTTP client no proxy handling (CVE-2025-9232) Severity: Low Issue Summary: Applications using OpenSSL HTTP client API functions may trigger an out-of-bounds read if the "no_proxy" environment variable is set and the HTTP URL's host portion is an IPv6 address. Impact Summary: Out-of-bounds read may cause application crashes, resulting in denial of service. Affected Versions: OpenSSL versions 3.5, 3.4, 3.3, 3.2, and 3.0. Remediation Recommendation: Upgrade to the latest version.

Goal Reached Thanks to every supporter — we hit 100%!

OpenSSL 3.x Vulnerability Advisory: CVE-2025-9230/9231/9232 (OOB Read/Write/Timing Side-Channel)