CVE-2025-9230: 
LibreSSL vulnerability analysis and mitigation

CVE-2025-9230 is a vulnerability discovered in OpenSSL's CMS message decryption functionality, disclosed on September 30, 2025. The vulnerability affects OpenSSL versions 3.5 (before 3.5.4), 3.4 (before 3.4.3), 3.3 (before 3.3.5), 3.2 (before 3.2.6), 3.0 (before 3.0.18), 1.1.1 (before 1.1.1zd), and 1.0.2 (before 1.0.2zm). The issue was discovered by Stanislav Fort from Aisle Research (OpenSSL Advisory).

The vulnerability involves an out-of-bounds read and write condition that occurs when an application attempts to decrypt CMS messages encrypted using password-based encryption. The issue is classified with two CWE identifiers: CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write). The vulnerability has been assessed as Moderate severity, with a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD Database).

The vulnerability can lead to multiple severe consequences. The out-of-bounds read may trigger a crash resulting in a Denial of Service for affected applications. More critically, the out-of-bounds write can cause memory corruption, potentially leading to Denial of Service or execution of attacker-supplied code. However, the probability of successful exploitation is considered low, particularly since password-based (PWRI) encryption support in CMS messages is rarely used (OpenSSL Advisory).

OpenSSL has released patches for all affected versions. Users are advised to upgrade to the following versions: OpenSSL 3.5.4 (for 3.5 users), OpenSSL 3.4.3 (for 3.4 users), OpenSSL 3.3.5 (for 3.3 users), OpenSSL 3.2.6 (for 3.2 users), OpenSSL 3.0.18 (for 3.0 users), OpenSSL 1.1.1zd (for 1.1.1 users, premium support only), and OpenSSL 1.0.2zm (for 1.0.2 users, premium support only) (OpenSSL Advisory).