Vulners
Lucene search
OpenSSL 3.4.0 < 3.4.4 Multiple Vulnerabilities
10
| Source | Link |
|---|---|
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(296766);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");
script_cve_id(
"CVE-2025-11187",
"CVE-2025-15467",
"CVE-2025-15468",
"CVE-2025-66199",
"CVE-2025-68160",
"CVE-2025-69418",
"CVE-2025-69419",
"CVE-2025-69420",
"CVE-2025-69421",
"CVE-2026-22795",
"CVE-2026-22796"
);
script_xref(name:"IAVA", value:"2026-A-0087-S");
script_name(english:"OpenSSL 3.4.0 < 3.4.4 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of OpenSSL installed on the remote host is prior to 3.4.4. It is, therefore, affected by multiple
vulnerabilities as referenced in the 3.4.4 advisory.
- Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server
receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer
dereference leads to abnormal termination of the running process causing Denial of Service. Some
applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the
peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will
happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this
function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue
was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of
the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as
the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are
vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. Fixed in OpenSSL
3.4.4 (Affected since 3.4.0). (CVE-2025-15468)
- Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data
where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing
signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can
be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The
function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its
type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the
ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a
malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of
Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons
the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by
this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL
3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Fixed in OpenSSL 3.4.4 (Affected
since 3.4.0). (CVE-2026-22796)
- Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed
PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to
dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion
vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first
validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address
space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This
range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably
result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or
application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12
files in applications as they are usually used to store private keys which are trusted by definition. For
these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not
affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL
3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this
issue. Fixed in OpenSSL 3.4.4 (Affected since 3.4.0). (CVE-2026-22795)
- Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the
PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash
which leads to Denial of Service for an application processing PKCS#12 files. The
PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before
dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter
can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to
achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a
malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low
severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not
affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Fixed in OpenSSL 3.4.4
(Affected since 3.4.0). (CVE-2025-69421)
- Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an
ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer
dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling
TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or
NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert()
and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type.
When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE
union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed
TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161)
is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue
was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5,
3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Fixed
in OpenSSL 3.4.4 (Affected since 3.4.0). (CVE-2025-69420)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://github.com/openssl/openssl/commit/205e3a55e16e4bd08c12fdbd3416ab829c0f6206
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?db89af8d");
# https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?acd9b969");
# https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7bb28302");
# https://github.com/openssl/openssl/commit/643986985cd1c21221f941129d76fe0c2785aeb3
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?68fa3f89");
# https://github.com/openssl/openssl/commit/68a7cd2e2816c3a02f4d45a2ce43fc04fac97096
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?25fac739");
# https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4b5aeca8");
# https://github.com/openssl/openssl/commit/7bbca05be55b129651d9df4bdb92becc45002c12
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cf9e12a5");
# https://github.com/openssl/openssl/commit/7c88376731c589ee5b36116c5a6e32d5ae5f7ae2
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6cc13b03");
# https://github.com/openssl/openssl/commit/966a2478046c311ed7dae50c457d0db4cafbf7e4
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3ee096db");
# https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ff2373e5");
script_set_attribute(attribute:"see_also", value:"https://openssl-library.org/news/secadv/20260127.txt");
# https://openssl-library.org/policies/general/security-policy/index.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eac4598c");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-11187");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-15467");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-15468");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-66199");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-68160");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69418");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69419");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69420");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69421");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-22795");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-22796");
script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSL version 3.4.4 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-69421");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"patch_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"II");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("openssl_version.nasl", "openssl_nix_installed.nbin", "openssl_win_installed.nbin");
script_require_keys("installed_sw/OpenSSL");
exit(0);
}
include('vcf.inc');
include('vcf_extras_openssl.inc');
var app_info = vcf::combined_get_app_info(app:'OpenSSL');
vcf::check_all_backporting(app_info:app_info);
var constraints = [
{ 'min_version' : '3.4.0', 'fixed_version' : '3.4.4' }
];
vcf::openssl::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Apr 2026 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.17.5 - 8.8
EPSS0.02889
SSVC