OpenSSL updates addressed 3 flaws enabling key recovery, code execution, and DoS attacks. Users are urged to update asap.
The OpenSSL Project has released security updates to address three vulnerabilities, tracked as CVE-2025-9230, CVE-2025-9231, and CVE-2025-9232, in its open-source SSL/TLS toolkit.
OpenSSL is an open-source library that provides encryption, decryption, hashing, and digital certificate management. It powers SSL/TLS protocols to secure internet communications, widely used in web servers, apps, and systems to protect sensitive data in transit and ensure privacy.
The project maintainers released versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm and 1.1.1zd of the OpenSSL Library and urge users to use them.
CVE-2025-9230 is an OpenSSL flaw in CMS decryption with password-based encryption (PWRI). It triggers out-of-bounds read/write, causing crashes (DoS) or memory corruption that may enable code execution. Risk is limited since PWRI use is rare, and OpenSSL rates the flaw as moderate in severity. FIPS modules are unaffected. Users should update to patched versions to mitigate potential exploitation.
“This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.” reads the advisory. “Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low.”
The second flaw, tracked as CVE-2025-9231, is a Moderate-severity issue in OpenSSL affecting SM2 signature computations on 64-bit ARM platforms. It introduces a timing side-channel that could let attackers recover private keys through precise timing measurements. Although OpenSSL does not natively support SM2 keys in TLS, custom providers may enable their use, making the flaw relevant in those contexts. Remote exploitation remains theoretical but possible, so updates are recommended.
The third vulnerability is a low-severity OpenSSL issue that can cause crashes and trigger a DoS condition. Since Heartbleed, the security of the OpenSSL library has drastically improved.
In February, the OpenSSL Project addressed a high-severity vulnerability, tracked as CVE-2024-12797, in its secure communications library.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, encryption)
