Out-of-Bounds Vulnerability in OpenSSL CMS with Password-Based Encryption
CVE-2025-9230

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
30 September 2025

What is CVE-2025-9230?

A significant vulnerability has been identified in OpenSSL's implementation of password-based encryption within CMS (Cryptographic Message Syntax). This issue allows an application to initiate an out-of-bounds read and write due to faulty decryption processes. Exploiting this vulnerability can lead to application crashes and potential memory corruption, posing risks such as Denial of Service or execution of arbitrary code by attackers. While the potential consequences are severe, instances of successful exploitation are deemed low owing to the uncommon usage of password-based encryption in CMS messages. Importantly, the FIPS modules in various OpenSSL versions remain unaffected.

Affected Version(s)

OpenSSL 3.5.0 < 3.5.4

OpenSSL 3.4.0 < 3.4.3

OpenSSL 3.3.0 < 3.3.5

References

https://openssl-library.org/news/secadv/20250930.txt
vendor-advisory
https://github.com/openssl/openssl/commit/bae259a211ada63...
patch
https://github.com/openssl/openssl/commit/9e91358f365dee6...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Fort (Aisle Research)
Stanislav Fort (Aisle Research)
Viktor Dukhovni
JSON
.
CVE-2025-9230 : Out-of-Bounds Vulnerability in OpenSSL CMS with Password-Based Encryption