Vulners
Lucene search
OpenSSL 3.5.0 < 3.5.5 Multiple Vulnerabilities
10
| Source | Link |
|---|---|
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(296768);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");
script_cve_id(
"CVE-2025-11187",
"CVE-2025-15467",
"CVE-2025-15468",
"CVE-2025-15469",
"CVE-2025-66199",
"CVE-2025-68160",
"CVE-2025-69418",
"CVE-2025-69419",
"CVE-2025-69420",
"CVE-2025-69421",
"CVE-2026-22795",
"CVE-2026-22796"
);
script_xref(name:"IAVA", value:"2026-A-0087-S");
script_name(english:"OpenSSL 3.5.0 < 3.5.5 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of OpenSSL installed on the remote host is prior to 3.5.5. It is, therefore, affected by multiple
vulnerabilities as referenced in the 3.5.5 advisory.
- Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server
receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer
dereference leads to abnormal termination of the running process causing Denial of Service. Some
applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the
peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will
happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this
function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue
was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of
the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as
the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are
vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. Fixed in OpenSSL
3.5.5 (Affected since 3.5.0). (CVE-2025-15468)
- Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data
where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing
signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can
be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The
function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its
type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the
ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a
malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of
Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons
the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by
this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL
3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Fixed in OpenSSL 3.5.5 (Affected
since 3.5.0). (CVE-2026-22796)
- Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed
PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to
dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion
vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first
validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address
space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This
range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably
result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or
application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12
files in applications as they are usually used to store private keys which are trusted by definition. For
these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not
affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL
3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this
issue. Fixed in OpenSSL 3.5.5 (Affected since 3.5.0). (CVE-2026-22795)
- Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the
PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash
which leads to Denial of Service for an application processing PKCS#12 files. The
PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before
dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter
can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to
achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a
malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low
severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not
affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Fixed in OpenSSL 3.5.5
(Affected since 3.5.0). (CVE-2025-69421)
- Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an
ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer
dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling
TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or
NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert()
and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type.
When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE
union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed
TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161)
is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue
was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5,
3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Fixed
in OpenSSL 3.5.5 (Affected since 3.5.0). (CVE-2025-69420)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?106bd24b");
# https://github.com/openssl/openssl/commit/2502e7b7d4c0cf4f972a881641fe09edc67aeec4
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a86b3de5");
# https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a054c75b");
# https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9aa5f05a");
# https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48f0b0cb");
# https://github.com/openssl/openssl/commit/6845c3b6460a98b1ec4e463baa2ea1a63a32d7c0
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?72b27b70");
# https://github.com/openssl/openssl/commit/895150b5e021d16b52fb32b97e1dd12f20448be5
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?967288b0");
# https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cb0bc5f6");
# https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6ad68d16");
# https://github.com/openssl/openssl/commit/e1079bc17ed93ff16f6b86f33a2fe3336e78817e
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d1b4f49");
# https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b5866ede");
script_set_attribute(attribute:"see_also", value:"https://openssl-library.org/news/secadv/20260127.txt");
# https://openssl-library.org/policies/general/security-policy/index.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eac4598c");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-11187");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-15467");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-15468");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-15469");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-66199");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-68160");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69418");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69419");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69420");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69421");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-22795");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-22796");
script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSL version 3.5.5 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-69421");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"patch_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"II");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("openssl_version.nasl", "openssl_nix_installed.nbin", "openssl_win_installed.nbin");
script_require_keys("installed_sw/OpenSSL");
exit(0);
}
include('vcf.inc');
include('vcf_extras_openssl.inc');
var app_info = vcf::combined_get_app_info(app:'OpenSSL');
vcf::check_all_backporting(app_info:app_info);
var constraints = [
{ 'min_version' : '3.5.0', 'fixed_version' : '3.5.5' }
];
vcf::openssl::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Apr 2026 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.17.5 - 8.8
EPSS0.02889
SSVC