CVE-2025-15468

EUVD-2025-206400

27.01.2026, 16:16

Issue summary: If an application using the SSL_CIPHER_find() function in
a QUIC protocol client or server receives an unknown cipher suite from
the peer, a NULL dereference occurs.

Impact summary: A NULL pointer dereference leads to abnormal termination of
the running process causing Denial of Service.

Some applications call SSL_CIPHER_find() from the client_hello_cb callback
on the cipher ID received from the peer. If this is done with an SSL object
implementing the QUIC protocol, NULL pointer dereference will happen if
the examined cipher ID is unknown or unsupported.

As it is not very common to call this function in applications using the QUIC
protocol and the worst outcome is Denial of Service, the issue was assessed
as Low severity.

The vulnerable code was introduced in the 3.2 version with the addition
of the QUIC protocol support.

The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,
as the QUIC implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 14%

Affected Products (NVD)

Vendor	Product	Version
openssl	openssl	3.3.0 ≤ 𝑥 < 3.3.6
openssl	openssl	3.4.0 ≤ 𝑥 < 3.4.4
openssl	openssl	3.5.0 ≤ 𝑥 < 3.5.5
openssl	openssl	3.6.0 ≤ 𝑥 < 3.6.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

openssl

bookworm	3.0.18-1~deb12u1 not-affected
bookworm (security)	3.0.18-1~deb12u2 fixed
bullseye	1.1.1w-0+deb11u1 not-affected
bullseye (security)	1.1.1w-0+deb11u4 fixed
forky	3.5.5-1 fixed
sid	3.5.5-1 fixed
trixie	vulnerable
trixie (security)	3.5.4-1~deb13u2 fixed

Ubuntu Releases

Ubuntu Product

Codename

openssl

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	ignored
questing	Fixed 3.5.3-1ubuntu3 released
trusty	not-affected
xenial	not-affected

openssl1.0

bionic	not-affected
jammy	dne
noble	dne
plucky	dne
questing	dne

nodejs

bionic	needs-triage
focal	not-affected
jammy	needed
noble	not-affected
plucky	not-affected
questing	not-affected
trusty	not-affected
xenial	needs-triage

edk2

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	ignored
questing	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Vulnerability Media Exposure

References

https://github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65

https://github.com/openssl/openssl/commit/7c88376731c589ee5b36116c5a6e32d5ae5f7ae2

https://github.com/openssl/openssl/commit/b2539639400288a4580fe2d76247541b976bade4

https://github.com/openssl/openssl/commit/d75b309879631d45b972396ce4e5102559c64ac7

https://openssl-library.org/news/secadv/20260127.txt