CVE-2025-69418

Description

Issue summary: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. Impact summary: The trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag, allowing an attacker to read or tamper with those bytes without detection. The low-level OCB encrypt and decrypt routines in the hardware-accelerated stream path process full 16-byte blocks but do not advance the input/output pointers. The subsequent tail-handling code then operates on the original base pointers, effectively reprocessing the beginning of the buffer while leaving the actual trailing bytes unprocessed. The authentication checksum also excludes the true tail bytes. However, typical OpenSSL consumers using EVP are not affected because the higher-level EVP and provider OCB implementations split inputs so that full blocks and trailing partial blocks are processed in separate calls, avoiding the problematic code path. Additionally, TLS does not use OCB ciphersuites. The vulnerability only affects applications that call the low-level CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with non-block-aligned lengths in a single call on hardware-accelerated builds. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as OCB mode is not a FIPS-approved algorithm. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

CVSS Details

CVSS Score

4.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* - VULNERABLE

OpenSSL 3.6.x

OpenSSL 3.5.x

OpenSSL 3.4.x

OpenSSL 3.3.x

OpenSSL 3.0.x

OpenSSL 1.1.1x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/* CVE-2025-69418 PoC - OpenSSL OCB Mode Partial Block Encryption Bypass
 * This PoC demonstrates the vulnerability where non-16-byte-aligned inputs
 * with AES-NI/hardware acceleration leave trailing 1-15 bytes unencrypted.
 * Note: Only affects low-level CRYPTO_ocb128_encrypt/decrypt calls, not EVP API.
 */

#include <openssl/ocb.h>
#include <openssl/evp.h>
#include <stdio.h>
#include <string.h>

// Simulated vulnerable scenario
void demonstrate_vulnerability() {
    /*
     * Vulnerable pattern - direct use of low-level OCB API:
     * When data length is not multiple of 16 bytes and AES-NI is enabled,
     * trailing bytes (1-15) are not encrypted/authenticated.
     */
    
    // Example: 17-byte input with AES-NI hardware acceleration
    // Block 1 (16 bytes): Processed correctly
    // Block 2 (1 byte): NOT processed, left unencrypted
    
    printf("[*] CVE-2025-69418 - OCB Mode Vulnerability\n");
    printf("[*] Affected: Low-level OCB API with non-16-byte-aligned inputs\n");
    printf("[*] Impact: Trailing 1-15 bytes may be exposed in plaintext\n");
    
    /*
     * Vulnerable code pattern:
     * 
     * unsigned char key[32];
     * unsigned char nonce[12];
     * unsigned char plaintext[17];  // Not 16-byte aligned
     * unsigned char ciphertext[32];
     * unsigned char tag[16];
     * OCB128_CONTEXT ctx;
     * 
     * CRYPTO_ocb128_init(&ctx, key, nonce, ...);
     * CRYPTO_ocb128_encrypt(&ctx, plaintext, ciphertext, 17, tag);  // VULNERABLE!
     * 
     * // bytes 16 (index 16) remain unencrypted and unauthenticated
     */
}

int main() {
    demonstrate_vulnerability();
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69418
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69418
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69418/
[4] VulDB https://vuldb.com/cve/CVE-2025-69418
[5] https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc
[6] https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8
[7] https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347
[8] https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae
[9] https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977
[10] https://openssl-library.org/news/secadv/20260127.txt
[11] https://cert-portal.siemens.com/productcert/html/ssa-265688.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69418", "sourceIdentifier": "[email protected]", "published": "2026-01-27T16:16:33.253", "lastModified": "2026-05-12T13:17:24.297", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Issue summary: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. Impact summary: The trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag, allowing an attacker to read or tamper with those bytes without detection. The low-level OCB encrypt and decrypt routines in the hardware-accelerated stream path process full 16-byte blocks but do not advance the input/output pointers. The subsequent tail-handling code then operates on the original base pointers, effectively reprocessing the beginning of the buffer while leaving the actual trailing bytes unprocessed. The authentication checksum also excludes the true tail bytes. However, typical OpenSSL consumers using EVP are not affected because the higher-level EVP and provider OCB implementations split inputs so that full blocks and trailing partial blocks are processed in separate calls, avoiding the problematic code path. Additionally, TLS does not use OCB ciphersuites. The vulnerability only affects applications that call the low-level CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with non-block-aligned lengths in a single call on hardware-accelerated builds. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as OCB mode is not a FIPS-approved algorithm. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue."}, {"lang": "es", "value": "Resumen del problema: Al usar la API OCB de bajo nivel directamente con AES-NI u otras rutas de código aceleradas por hardware, las entradas cuya longitud no es un múltiplo de 16 bytes pueden dejar el bloque parcial final sin cifrar y sin autenticar.\nResumen del impacto: Los últimos 1-15 bytes de un mensaje pueden quedar expuestos en texto claro durante el cifrado y no están cubiertos por la etiqueta de autenticación, lo que permite a un atacante leer o manipular esos bytes sin ser detectado. Las rutinas de cifrado y descifrado OCB de bajo nivel en la ruta de flujo acelerada por hardware procesan bloques completos de 16 bytes, pero no avanzan los punteros de entrada/salida. El código posterior de manejo de la cola opera entonces sobre los punteros base originales, reprocesando efectivamente el inicio del búfer mientras deja los bytes finales reales sin procesar. La suma de verificación de autenticación también excluye los verdaderos bytes de la cola. Sin embargo, los consumidores típicos de OpenSSL que usan EVP no se ven afectados porque las implementaciones OCB de EVP y del proveedor de nivel superior dividen las entradas de modo que los bloques completos y los bloques parciales finales se procesan en llamadas separadas, evitando la ruta de código problemática. Además, TLS no utiliza conjuntos de cifrado OCB. La vulnerabilidad solo afecta a las aplicaciones que llaman directamente a las funciones de bajo nivel CRYPTO_ocb128_encrypt() o CRYPTO_ocb128_decrypt() con longitudes no alineadas a bloques en una sola llamada en compilaciones aceleradas por hardware. Por estas razones, el problema se evaluó como de baja severidad. Los módulos FIPS en 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 y 3.0 no se ven afectados por este problema, ya que el modo OCB no es un algoritmo aprobado por FIPS. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 y 1.1.1 son vulnerables a este problema. OpenSSL 1.0.2 no se ve afectado por este problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.4, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-325"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.1", "versionEndExcluding": "1.1.1ze", "matchCriteriaId": "E000B986-6A31-468F-9EA3-B9D16DB16FB2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "ve ... (truncated)