CVE-2025-15468 — NULL Pointer Dereference in Openssl

CWE-476 — NULL Pointer Dereference13 documents9 sources

Severity

5.9MEDIUMNVD

OSV6.1

EPSS

0.0%

top 94.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl

Timeline

PublishedJan 27

Description

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointe…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5openssl/openssl3.6.0 — 3.6.1+3

▶NVDopenssl/openssl3.3.0 — 3.3.6+3

▶Alpineopenssl/openssl< 3.3.6-r0+3

▶Debianopenssl/openssl< 3.5.4-1~deb13u2+1

▶Ubuntuopenssl/openssl< 3.0.2-0ubuntu1.21+6

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-rhx3-fg8p-f9m4: Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the pe↗2026-01-27

▶

CVEList

NULL dereference in SSL_CIPHER_find() function on unknown cipher ID↗2026-01-27

▶

OSV

openssl, openssl1.0 vulnerabilities↗2026-01-27

▶

OSV

CVE-2025-15468: Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the pe↗2026-01-27

▶

OSV

openssl vulnerabilities↗2026-01-27

▶

📋Vendor Advisories

Ubuntu

OpenSSL vulnerabilities↗2026-01-27

▶

BSD

FreeBSD-SA-26:01.openssl: Multiple vulnerabilities in OpenSSL↗2026-01-27

▶

Red Hat

openssl: OpenSSL: Denial of Service via NULL pointer dereference in QUIC protocol handling↗2026-01-27

▶

Ubuntu

OpenSSL vulnerabilities↗2026-01-27

▶

Debian

CVE-2025-15468: openssl - Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC ...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-15468 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶