TLS 1.3 Certificate Compression Vulnerability in OpenSSL
CVE-2025-66199

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
27 January 2026

What is CVE-2025-66199?

A significant vulnerability exists in OpenSSL's implementation of TLS 1.3 that allows attackers to exploit certificate compression to cause excessive memory allocation before decompression. By supplying uncompressed certificates of arbitrary length, an attacker may induce up to 22 MiB of per-connection memory allocation and increased CPU utilization, potentially resulting in service degradation or resource exhaustion without causing memory corruption or data leakage. This issue affects configurations where TLS 1.3 certificate compression is enabled and certain compression algorithms are available. Mitigation includes disabling certificate compression via SSL_OP_NO_RX_CERTIFICATE_COMPRESSION for affected systems.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OpenSSL 3.6.0 < 3.6.1

OpenSSL 3.5.0 < 3.5.5

OpenSSL 3.4.0 < 3.4.4

References

https://openssl-library.org/news/secadv/20260127.txt
vendor-advisory
https://github.com/openssl/openssl/commit/6184a4fb08ee6d7...
patch
https://github.com/openssl/openssl/commit/895150b5e021d16...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tomas Dulka (Aisle Research)
Stanislav Fort (Aisle Research)
Tomas Dulka (Aisle Research)
Stanislav Fort (Aisle Research)
JSON
.