Skip to content
ScienceClimate-changeGreen GadgetsStrengthen Your Digital FortressUnveil the Latest Gadgets

OpenSSL Warns of Critical Vulnerabilities Affecting Multiple Versions

OpenSSL's latest update brings serious security concerns. Upgrade now to avoid remote code execution and private key exposure.

 and  Administrator
1 min read
This picture shows few cross symbols and few papers and key chains on the glass table.
This picture shows few cross symbols and few papers and key chains on the glass table.

OpenSSL Warns of Critical Vulnerabilities Affecting Multiple Versions

The OpenSSL Project has issued a critical security advisory, warning of three significant vulnerabilities affecting multiple versions of its software. These flaws, discovered by Stanislav Fort and his team at Aisle Research, could allow attackers to execute remote code, cause denial of service, and compromise sensitive cryptographic materials.

The most severe vulnerability, tracked as CVE-2025-9230, involves out-of-bounds memory operations in the RFC 3211 Key Encryption Key (KEK) unwrap functionality. This occurs when applications attempt to decrypt Cryptographic Message Syntax (CMS) messages using password-based encryption (PWRI), potentially leading to memory corruption and remote code execution.

Another critical flaw, CVE-2025-9231, introduces a timing side-channel vulnerability in the SM2 cryptographic algorithm implementation on 64-bit ARM platforms. This allows remote attackers to recover private keys through timing analysis, posing a significant threat to organizations using custom cryptographic providers with SM2 support.

The vulnerabilities affect various OpenSSL versions, including 3.5, 3.4, 3.3, 3.2, 3.0, 1.1.1, and 1.0.2, specifically on 64-bit ARM architectures. The project has released patched versions (OpenSSL 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd, and 1.0.2zm) to mitigate these issues, and immediate remediation is advised.

Organizations are urged to upgrade to the patched OpenSSL versions promptly to protect against these vulnerabilities. Failure to do so could result in unauthorized access to sensitive materials, remote code execution, and denial of service attacks. The OpenSSL Project encourages users to stay informed about security updates and apply them as soon as possible.

Read also:

Related

Latest