—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in OpenSSL

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

OpenSSL version 3.6.

OpenSSL version 3.5.

OpenSSL version 3.4.

OpenSSL version 3.3.

OpenSSL version 3.0.

OpenSSL version 1.1.1

OpenSSL version 1.0.2

Overview

Multiple vulnerabilities have been reported in OpenSSL which could be exploited by an attacker to execute arbitrary code causing denial of service, or disclosure of sensitive information on the targeted system.

Target Audience

All end-user organizations and individuals using OpenSSL.

Risk Assessment

Risk of remote code execution, denial of service, memory corruption and integrity bypass.

Impact Assessment

Potential compromise of system, service disruption and unauthorized access to sensitive information.

Description

OpenSSL is a free and open-source software for general-purpose cryptography and secure communication. It provides a robust, full-featured toolkit for implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

Multiple vulnerabilities exist in OpenSSL due to insufficient validation of untrusted input, unsafe handling of ASN.1 parameters and improper bounds checking in several cryptographic parsing and verification code paths. These issues cause NULL pointer dereferences, type confusion, stack and heap buffer overflows and excessive memory allocation. A remote attacker could exploit these vulnerabilities by sending specially crafted inputs.

Successful exploitation of these vulnerabilities could allow a remote attacker to trigger remote code execution, denial of service condition, data manipulation and sensitive information disclosure on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://openssl-library.org/news/secadv/20260127.txt

Vendor Information

OpenSSL

https://openssl-library.org/news/vulnerabilities/

References

OpenSSL

https://openssl-library.org/news/secadv/20260127.txt

CVE Name

CVE-2025-11187

CVE-2025-15467

CVE-2025-15468

CVE-2025-15469

CVE-2025-22795

CVE-2025-22796

CVE-2025-69148

CVE-2025-68160

CVE-2025-66199

CVE-2025-69419

CVE-2025-69420

CVE-2025-69421

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmLMGMACgkQ3jCgcSdc

ys9trQ/+Iv5IVSdxiwH1Hn1tFvA7CKg7nYnacSjtzpx3t0v3VkfJzpsBfy+cJ/iT

rgWh4z0J3QEa1r8AIPSlIYaRsDXypeFCifSfy9DGbTjmioHRGxQlQU9fwQcZHgqf

D+V6z4rQ5fIHyhXELz7Wbk1bW/TrB5pInaa4Ty93qoiSYsYtaj+z9GpL0UEYmlwj

49TMyP2VugO1U44qo1v4VsKFj/609D8rWyHzvQi6elVDoAi3/c5nF5F3M3fKGNx1

4l3yPJNDDZDvNaYkb2r3lx6tN7IkU5NMwCcZQD1J0ERwOstmg3R8izIm6k+PR1D5

eDZuaBRzELF0oBQywtam8WpnZted3D+HBZLgrDSrG2OJo9KdFur4T3MJUjFbjx0q

INCwyc9vl4ry7gTSOftc4Rks+reNknc6E0redFKHLv0wLrc9SnF1z8lf3b6pzxPY

npv3JzOjPdh8lS9HKQ0cZvEi8zc30rWqsd/UbMbdCawEgqoNYBHddjQetEStlWpy

SRGS1AKDGmlmM91kXXTP/hjpHSjATkI30VpcpICdjz34RZgcln7+Fdb9g37RtDv0

u323x5223tf52pQdcOiLu2DrlWzn6DDQzYahKQzCrFieZxdGmha+1I0qr3kugBLI

xs6JlHhDt2YVIDHojmmNeTEznDPZV1CfNqcuiQF6UKZs3pYnfdQ=

=hpem

—–END PGP SIGNATURE—–