CVE-2025-69418 — Missing Cryptographic Step in Openssl

CWE-325 — Missing Cryptographic Step12 documents9 sources

Severity

4.0MEDIUMNVD

OSV6.1

EPSS

0.0%

top 99.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl

Timeline

PublishedJan 27

Description

Issue summary: When using the low-level OCB API directly with AES-NI orother hardware-accelerated code paths, inputs whose length is not a multipleof 16 bytes can leave the final partial block unencrypted and unauthenticated.Impact summary: The trailing 1-15 bytes of a message may be exposed incleartext on encryption and are not covered by the authentication tag,allowing an attacker to read or tamper with those bytes without detection.The low-level OCB encrypt and decrypt routines in the hardwar…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 1.4 | Impact: 2.5

Affected Packages4 packages

▶CVEListV5openssl/openssl3.6.0 — 3.6.1+5

▶NVDopenssl/openssl1.1.1 — 1.1.1ze+5

▶Debianopenssl/openssl< 1.1.1w-0+deb11u5+3

▶Ubuntuopenssl/openssl< 3.0.2-0ubuntu1.21+6

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Unauthenticated/unencrypted trailing bytes with low-level OCB function calls↗2026-01-27

▶

OSV

openssl, openssl1.0 vulnerabilities↗2026-01-27

▶

GHSA

GHSA-78qr-24v5-7q73: Issue summary: When using the low-level OCB API directly with AES-NI orother hardware-accelerated code paths, inputs whose length is not a multipleof↗2026-01-27

▶

OSV

openssl vulnerabilities↗2026-01-27

▶

OSV

CVE-2025-69418: Issue summary: When using the low-level OCB API directly with AES-NI orother hardware-accelerated code paths, inputs whose length is not a multipleof↗2026-01-27

▶

📋Vendor Advisories

Red Hat

openssl: OpenSSL: Information disclosure and data tampering via specific low-level OCB encryption/decryption calls↗2026-01-27

▶

Ubuntu

OpenSSL vulnerabilities↗2026-01-27

▶

BSD

FreeBSD-SA-26:01.openssl: Multiple vulnerabilities in OpenSSL↗2026-01-27

▶

Ubuntu

OpenSSL vulnerabilities↗2026-01-27

▶

Debian

CVE-2025-69418: openssl - Issue summary: When using the low-level OCB API directly with AES-NI or<br>other...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-69418 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶