CVE-2025-9230

EUVD-2025-31729

30.09.2025, 14:15

Issue summary: An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write.

Impact summary: This out-of-bounds read may trigger a crash which leads to
Denial of Service for an application. The out-of-bounds write can cause
a memory corruption which can have various consequences including
a Denial of Service or Execution of attacker-supplied code.

Although the consequences of a successful exploit of this vulnerability
could be severe, the probability that the attacker would be able to
perform it is low. Besides, password based (PWRI) encryption support in CMS
messages is very rarely used. For that reason the issue was assessed as
Moderate severity according to our Security Policy.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
openssl	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
Siemens	RUGGEDCOM RST2428P	𝑥 < V3.3	ADP
Siemens	SCALANCE XC-300\/XR-300\/XC-400\/XR-500WG\/XR-500 family	𝑥 < V3.3	ADP
Siemens	SCALANCE XCH328	𝑥 < V3.3	ADP
Siemens	SCALANCE XCM324	𝑥 < V3.3	ADP
Siemens	SCALANCE XCM328	𝑥 < V3.3	ADP
Siemens	SCALANCE XCM332	𝑥 < V3.3	ADP
Siemens	SCALANCE XRH334 \(24 V DC\, 8xFO\, CC\)	𝑥 < V3.3	ADP
Siemens	SCALANCE XRM334 \(230 V AC\, 12xFO\)	𝑥 < V3.3	ADP
Siemens	SCALANCE XRM334 \(230 V AC\, 8xFO\)	𝑥 < V3.3	ADP
Siemens	SCALANCE XRM334 \(230V AC\, 2x10G\, 24xSFP\, 8xSFP\+\)	𝑥 < V3.3	ADP
Siemens	SCALANCE XRM334 \(24 V DC\, 12xFO\)	𝑥 < V3.3	ADP
Siemens	SCALANCE XRM334 \(24 V DC\, 8xFO\)	𝑥 < V3.3	ADP
Siemens	SCALANCE XRM334 \(24V DC\, 2x10G\, 24xSFP\, 8xSFP\+\)	𝑥 < V3.3	ADP
Siemens	SCALANCE XRM334 \(2x230 V AC\, 12xFO\)	𝑥 < V3.3	ADP
Siemens	SCALANCE XRM334 \(2x230 V AC\, 8xFO\)	𝑥 < V3.3	ADP
Siemens	SCALANCE XRM334 \(2x230V AC\, 2x10G\, 24xSFP\, 8xSFP\+\)	𝑥 < V3.3	ADP
Siemens	SIDIS Prime	𝑥 < V4.0.800	ADP
Siemens	SIMATIC CN 4100	𝑥 < V5.0	ADP
Siemens	SIMATIC S7-1500 CPU 1518-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP
Siemens	SIMATIC S7-1500 CPU 1518-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP
Siemens	SIMATIC S7-1500 CPU 1518F-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP
Siemens	SIMATIC S7-1500 TM MFP - GNU\/Linux subsystem	𝑥 < *	ADP
Siemens	SIPLUS S7-1500 CPU 1518-4 PN\/DP MFP	V3.1.5 ≤ 𝑥 < *	ADP
openssl	openssl	3.5.0 ≤ 𝑥 < 3.5.4	CNA
openssl	openssl	3.4.0 ≤ 𝑥 < 3.4.3	CNA
openssl	openssl	3.3.0 ≤ 𝑥 < 3.3.5	CNA
openssl	openssl	3.2.0 ≤ 𝑥 < 3.2.6	CNA
openssl	openssl	3.0.0 ≤ 𝑥 < 3.0.18	CNA

Debian Releases

Debian Product

Codename

openssl

bookworm	3.0.20-1~deb12u1 fixed
bookworm (security)	3.0.19-1~deb12u2 fixed
bullseye	vulnerable
bullseye (security)	1.1.1w-0+deb11u5 fixed
forky	3.6.2-1 fixed
sid	3.6.2-1 fixed
trixie	3.5.6-1~deb13u1 fixed
trixie (security)	3.5.5-1~deb13u2 fixed

Ubuntu Releases

Ubuntu Product

Codename

openssl

bionic	Fixed 1.1.1-1ubuntu2.1~18.04.23+esm6 released
focal	Fixed 1.1.1f-1ubuntu2.24+esm1 released
jammy	Fixed 3.0.2-0ubuntu1.20 released
noble	Fixed 3.0.13-0ubuntu3.6 released
plucky	Fixed 3.4.1-1ubuntu4 released
questing	Fixed 3.5.3-1ubuntu2 released
resolute	Fixed 3.5.3-1ubuntu2 released
trusty	Fixed 1.0.1f-1ubuntu2.27+esm11 released
xenial	Fixed 1.0.2g-1ubuntu4.20+esm13 released

openssl-fips

bionic	dne
focal	dne
jammy	dne
noble	Fixed 3.0.13-0ubuntu3.6+Fips1 released
questing	dne
resolute	dne
trusty	dne
xenial	dne

openssl1.0

bionic	Fixed 1.0.2n-1ubuntu5.13+esm2 released
jammy	dne
noble	dne
plucky	dne
questing	dne
resolute	dne

nodejs

bionic	needs-triage
focal	not-affected
jammy	needed
noble	not-affected
plucky	not-affected
questing	not-affected
resolute	not-affected
trusty	not-affected
xenial	needs-triage

edk2

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
questing	not-affected
resolute	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

libopenssl-3-devel

suse enterprise desktop 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise desktop 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise sap 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise server 15 SP4	3.0.8-150400.4.75.1 fixed
suse enterprise server 15 SP5	3.0.8-150500.5.54.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.21.1 fixed

libopenssl-3-fips-provider

suse enterprise desktop 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise desktop 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise sap 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.21.1 fixed

libopenssl-3-fips-provider-32bit

suse enterprise desktop 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise desktop 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise sap 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.21.1 fixed

libopenssl3

suse enterprise desktop 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise desktop 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise sap 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise server 15 SP4	3.0.8-150400.4.75.1 fixed
suse enterprise server 15 SP5	3.0.8-150500.5.54.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.21.1 fixed

libopenssl3-32bit

suse enterprise desktop 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise desktop 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise sap 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.21.1 fixed

openssl-3

suse enterprise desktop 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise desktop 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise sap 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.21.1 fixed
suse enterprise server 15 SP4	3.0.8-150400.4.75.1 fixed
suse enterprise server 15 SP5	3.0.8-150500.5.54.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.39.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.21.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

edk2-aarch64

RHEL 9

0:20241117-4.el9_7.3

fixed

edk2-ovmf

RHEL 9

0:20241117-4.el9_7.3

fixed

edk2-tools

RHEL 9

0:20241117-4.el9_7.3

fixed

edk2-tools-doc

RHEL 9

0:20241117-4.el9_7.3

fixed

openssl

RHEL 8	1:1.1.1k-14.el8_10 fixed
RHEL 8.2 AUS	1:1.1.1c-21.el8_2.1 fixed
RHEL 8.4 AUS	1:1.1.1g-18.el8_4.1 fixed
RHEL 8.6 AUS	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.6 E4S	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.6 TUS	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.8 E4S	1:1.1.1k-14.el8_8.1 fixed
RHEL 8.8 TUS	1:1.1.1k-14.el8_8.1 fixed
RHEL 9	1:3.5.1-4.el9_7 fixed

openssl-devel

RHEL 8	1:1.1.1k-14.el8_10 fixed
RHEL 8.2 AUS	1:1.1.1c-21.el8_2.1 fixed
RHEL 8.4 AUS	1:1.1.1g-18.el8_4.1 fixed
RHEL 8.6 AUS	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.6 E4S	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.6 TUS	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.8 E4S	1:1.1.1k-14.el8_8.1 fixed
RHEL 8.8 TUS	1:1.1.1k-14.el8_8.1 fixed
RHEL 9	1:3.5.1-4.el9_7 fixed

openssl-libs

RHEL 8	1:1.1.1k-14.el8_10 fixed
RHEL 8.2 AUS	1:1.1.1c-21.el8_2.1 fixed
RHEL 8.4 AUS	1:1.1.1g-18.el8_4.1 fixed
RHEL 8.6 AUS	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.6 E4S	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.6 TUS	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.8 E4S	1:1.1.1k-14.el8_8.1 fixed
RHEL 8.8 TUS	1:1.1.1k-14.el8_8.1 fixed
RHEL 9	1:3.5.1-4.el9_7 fixed

openssl-perl

RHEL 8	1:1.1.1k-14.el8_10 fixed
RHEL 8.2 AUS	1:1.1.1c-21.el8_2.1 fixed
RHEL 8.4 AUS	1:1.1.1g-18.el8_4.1 fixed
RHEL 8.6 AUS	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.6 E4S	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.6 TUS	1:1.1.1k-14.el8_6.1 fixed
RHEL 8.8 E4S	1:1.1.1k-14.el8_8.1 fixed
RHEL 8.8 TUS	1:1.1.1k-14.el8_8.1 fixed
RHEL 9	1:3.5.1-4.el9_7 fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45

https://github.com/openssl/openssl/commit/9e91358f365dee6c446dcdcdb01c04d2743fd280

https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def

https://github.com/openssl/openssl/commit/b5282d677551afda7d20e9c00e09561b547b2dfd

https://github.com/openssl/openssl/commit/bae259a211ada6315dc50900686daaaaaa55f482

https://github.openssl.org/openssl/extended-releases/commit/c2b96348bfa662f25f4fabf81958ae822063dae3

https://github.openssl.org/openssl/extended-releases/commit/dfbaf161d8dafc1132dd88cd48ad990ed9b4c8ba

https://openssl-library.org/news/secadv/20250930.txt

http://www.openwall.com/lists/oss-security/2025/09/30/5

https://lists.debian.org/debian-lts-announce/2025/10/msg00001.html

https://cert-portal.siemens.com/productcert/html/ssa-032379.html

https://cert-portal.siemens.com/productcert/html/ssa-082556.html

https://cert-portal.siemens.com/productcert/html/ssa-089022.html

https://cert-portal.siemens.com/productcert/html/ssa-265688.html

https://cert-portal.siemens.com/productcert/html/ssa-485750.html