Vulners
Lucene search
OpenSSL 3.6.0 < 3.6.1 Multiple Vulnerabilities
10
| Source | Link |
|---|---|
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(296770);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");
script_cve_id(
"CVE-2025-11187",
"CVE-2025-15467",
"CVE-2025-15468",
"CVE-2025-15469",
"CVE-2025-66199",
"CVE-2025-68160",
"CVE-2025-69418",
"CVE-2025-69419",
"CVE-2025-69420",
"CVE-2025-69421",
"CVE-2026-22795",
"CVE-2026-22796"
);
script_xref(name:"IAVA", value:"2026-A-0087-S");
script_name(english:"OpenSSL 3.6.0 < 3.6.1 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of OpenSSL installed on the remote host is prior to 3.6.1. It is, therefore, affected by multiple
vulnerabilities as referenced in the 3.6.1 advisory.
- Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server
receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer
dereference leads to abnormal termination of the running process causing Denial of Service. Some
applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the
peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will
happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this
function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue
was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of
the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as
the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are
vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. Fixed in OpenSSL
3.6.1 (Affected since 3.6.0). (CVE-2025-15468)
- Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data
where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL
pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing
signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can
be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The
function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its
type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the
ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a
malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of
Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons
the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by
this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL
3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Fixed in OpenSSL 3.6.1 (Affected
since 3.6.0). (CVE-2026-22796)
- Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed
PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to
dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion
vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first
validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address
space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This
range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably
result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or
application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12
files in applications as they are usually used to store private keys which are trusted by definition. For
these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not
affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL
3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this
issue. Fixed in OpenSSL 3.6.1 (Affected since 3.6.0). (CVE-2026-22795)
- Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the
PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash
which leads to Denial of Service for an application processing PKCS#12 files. The
PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before
dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter
can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to
achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a
malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low
severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not
affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Fixed in OpenSSL 3.6.1
(Affected since 3.6.0). (CVE-2025-69421)
- Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an
ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer
dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling
TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or
NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert()
and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type.
When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE
union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed
TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161)
is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue
was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5,
3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Fixed
in OpenSSL 3.6.1 (Affected since 3.6.0). (CVE-2025-69420)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d09a7584");
# https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c3c71d7c");
# https://github.com/openssl/openssl/commit/4c96fbba618e1940f038012506ee9e21d32ee12c
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?00214146");
# https://github.com/openssl/openssl/commit/6184a4fb08ee6d7bca570d931a4e8bef40b64451
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?547e3f13");
# https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3520a05d");
# https://github.com/openssl/openssl/commit/8caf359d6e46fb413e8f5f0df765d2e8a51df4e8
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b25d85d6");
# https://github.com/openssl/openssl/commit/a2dbc539f0f9cc63832709fa5aa33ad9495eb19c
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3faa7951");
# https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7327507e");
# https://github.com/openssl/openssl/commit/b2539639400288a4580fe2d76247541b976bade4
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2bcb66ad");
# https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a4ba529");
# https://github.com/openssl/openssl/commit/ef2fb66ec571564d64d1c74a12e388a2a54d05d2
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8e12ebc8");
script_set_attribute(attribute:"see_also", value:"https://openssl-library.org/news/secadv/20260127.txt");
# https://openssl-library.org/policies/general/security-policy/index.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eac4598c");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-11187");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-15467");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-15468");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-15469");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-66199");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-68160");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69418");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69419");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69420");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2025-69421");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-22795");
script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2026-22796");
script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSL version 3.6.1 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-69421");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"patch_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/27");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"II");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("openssl_version.nasl", "openssl_nix_installed.nbin", "openssl_win_installed.nbin");
script_require_keys("installed_sw/OpenSSL");
exit(0);
}
include('vcf.inc');
include('vcf_extras_openssl.inc');
var app_info = vcf::combined_get_app_info(app:'OpenSSL');
vcf::check_all_backporting(app_info:app_info);
var constraints = [
{ 'min_version' : '3.6.0', 'fixed_version' : '3.6.1' }
];
vcf::openssl::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Apr 2026 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.17.5 - 8.8
EPSS0.02889
SSVC