CVE-2025-69420

EUVD-2025-206394
Issue summary: A type confusion vulnerability exists in the TimeStamp Response
verification code where an ASN1_TYPE union member is accessed without first
validating the type, causing an invalid or NULL pointer dereference when
processing a malformed TimeStamp Response file.

Impact summary: An application calling TS_RESP_verify_response() with a
malformed TimeStamp Response can be caused to dereference an invalid or
NULL pointer when reading, resulting in a Denial of Service.

The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()
access the signing cert attribute value without validating its type.
When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory
through the ASN1_TYPE union, causing a crash.

Exploiting this vulnerability requires an attacker to provide a malformed
TimeStamp Response to an application that verifies timestamp responses. The
TimeStamp protocol (RFC 3161) is not widely used and the impact of the
exploit is just a Denial of Service. For these reasons the issue was
assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the TimeStamp Response implementation is outside the OpenSSL FIPS module
boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
opensslopenssl
1.1.1 ≤
𝑥
< 1.1.1ze
opensslopenssl
3.0.0 ≤
𝑥
< 3.0.19
opensslopenssl
3.3.0 ≤
𝑥
< 3.3.6
opensslopenssl
3.4.0 ≤
𝑥
< 3.4.4
opensslopenssl
3.5.0 ≤
𝑥
< 3.5.5
opensslopenssl
3.6.0 ≤
𝑥
< 3.6.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
SiemensSIMATIC S7-1500 TM MFP - GNU\/Linux subsystem
𝑥
< *
ADP
Debian logo
Debian Releases
Debian Product
Codename
openssl
bookworm
3.0.20-1~deb12u1
fixed
bookworm (security)
3.0.19-1~deb12u2
fixed
bullseye
vulnerable
bullseye (security)
1.1.1w-0+deb11u5
fixed
forky
3.6.2-1
fixed
sid
3.6.2-1
fixed
trixie
3.5.6-1~deb13u1
fixed
trixie (security)
3.5.5-1~deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssl
bionic
Fixed 1.1.1-1ubuntu2.1~18.04.23+esm7
released
focal
Fixed 1.1.1f-1ubuntu2.24+esm2
released
jammy
Fixed 3.0.2-0ubuntu1.21
released
noble
Fixed 3.0.13-0ubuntu3.7
released
plucky
ignored
questing
Fixed 3.5.3-1ubuntu3
released
resolute
Fixed 3.5.5-1ubuntu1
released
trusty
not-affected
xenial
not-affected
openssl1.0
bionic
not-affected
jammy
dne
noble
dne
plucky
dne
questing
dne
resolute
dne
nodejs
bionic
needs-triage
focal
not-affected
jammy
needed
noble
not-affected
plucky
not-affected
questing
not-affected
resolute
not-affected
trusty
not-affected
xenial
needs-triage
edk2
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
not-affected
plucky
ignored
questing
not-affected
resolute
not-affected
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libopenssl-3-devel
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.78.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.57.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl-3-fips-provider
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl-3-fips-provider-32bit
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl3
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.78.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.57.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
libopenssl3-32bit
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
openssl-3
suse enterprise desktop 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise sap 15 SP7
3.2.3-150700.5.24.1
fixed
suse enterprise server 15 SP4
3.0.8-150400.4.78.1
fixed
suse enterprise server 15 SP5
3.0.8-150500.5.57.1
fixed
suse enterprise server 15 SP6
3.1.4-150600.5.42.1
fixed
suse enterprise server 15 SP7
3.2.3-150700.5.24.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssl
RHEL 9
1:3.5.1-7.el9_7
fixed
openssl-devel
RHEL 9
1:3.5.1-7.el9_7
fixed
openssl-libs
RHEL 9
1:3.5.1-7.el9_7
fixed
openssl-perl
RHEL 9
1:3.5.1-7.el9_7
fixed
Common Weakness Enumeration
References
https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9
https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a
https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e
https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b
https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085
https://openssl-library.org/news/secadv/20260127.txt
https://cert-portal.siemens.com/productcert/html/ssa-265688.html