Using a Custom Cipher with NID_undef may lead to NULL encryption
Description
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSSL 3.0.0-3.0.5 mishandles legacy custom ciphers with NID_undef, inadvertently falling back to NULL encryption, which exposes plaintext as ciphertext.
Root
Cause
OpenSSL supports custom ciphers via the deprecated EVP_CIPHER_meth_new() function. In versions 3.0.0 through 3.0.5, when a custom cipher is initialized using EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), or EVP_CipherInit_ex2(), the library incorrectly attempts to fetch an equivalent cipher from registered providers instead of using the custom cipher directly. This lookup is keyed by the NID passed to EVP_CIPHER_meth_new(). If an application passes NID_undef (a sentinel value meaning “no defined cipher”), the provider lookup matches the NULL cipher, which performs no encryption and simply emits plaintext as ciphertext [1][3].
Exploitation
Exploitation requires that the application calls EVP_CIPHER_meth_new() with NID_undef and then uses that custom cipher in an encryption or decryption initialization routine. The attack surface is limited to applications that programmatically create custom ciphers using the legacy API. Standard SSL/TLS users are not affected [1][2]. The default OpenSSL provider, if loaded, supplies the NULL cipher, so the misbehavior occurs automatically; no special attacker configuration is needed beyond the vulnerable application logic [3].
Impact
An attacker who can supply plaintext to be processed by the vulnerable initialization path will receive that plaintext unchanged as “ciphertext.” This defeats the confidentiality guarantee of encryption, effectively turning the cipher operation into a no-op. The issue does not affect data integrity or availability directly, but the loss of encryption can lead to exposure of sensitive information in transit or at rest [2][3].
Mitigation
The vulnerability is fixed in OpenSSL 3.0.6. Users of OpenSSL 3.0.0–3.0.5 should upgrade immediately. Workarounds include avoiding the use of NID_undef in custom cipher creation or not using the legacy EVP_CIPHER_meth_new() API at all; OpenSSL 1.1.1 and 1.0.2 are not affected [1][3]. The Rust crate openssl-src has been patched in version >=300.0.10 [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openssl-srccrates.io | >= 300.0.0, < 300.0.10 | 300.0.10 |
Affected products
42- osv-coords41 versionspkg:apk/chainguard/libcrypto3pkg:apk/chainguard/libssl3pkg:apk/chainguard/opensslpkg:apk/chainguard/openssl-configpkg:apk/chainguard/openssl-dbgpkg:apk/chainguard/openssl-devpkg:apk/chainguard/openssl-docpkg:apk/chainguard/openssl-engine-afalgpkg:apk/chainguard/openssl-engine-capipkg:apk/chainguard/openssl-engine-loader-atticpkg:apk/chainguard/openssl-engine-padlockpkg:apk/chainguard/openssl-provider-legacypkg:apk/chainguard/ruby-3.1pkg:apk/chainguard/ruby-3.1-basepkg:apk/chainguard/ruby-3.1-base-devpkg:apk/chainguard/ruby-3.1-devpkg:apk/chainguard/ruby-3.1-docpkg:apk/wolfi/libcrypto3pkg:apk/wolfi/libssl3pkg:apk/wolfi/opensslpkg:apk/wolfi/openssl-configpkg:apk/wolfi/openssl-dbgpkg:apk/wolfi/openssl-devpkg:apk/wolfi/openssl-docpkg:apk/wolfi/openssl-engine-afalgpkg:apk/wolfi/openssl-engine-capipkg:apk/wolfi/openssl-engine-loader-atticpkg:apk/wolfi/openssl-engine-padlockpkg:apk/wolfi/openssl-provider-legacypkg:apk/wolfi/ruby-3.1pkg:apk/wolfi/ruby-3.1-basepkg:apk/wolfi/ruby-3.1-base-devpkg:apk/wolfi/ruby-3.1-devpkg:apk/wolfi/ruby-3.1-docpkg:cargo/openssl-srcpkg:rpm/almalinux/opensslpkg:rpm/almalinux/openssl-develpkg:rpm/almalinux/openssl-libspkg:rpm/almalinux/openssl-perlpkg:rpm/opensuse/openssl-3&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4
< 3.0.7-r0+ 40 more
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 3.0.7-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 300.0.0, < 300.0.10
- (no CPE)range: < 1:3.0.7-6.el9_2
- (no CPE)range: < 1:3.0.7-6.el9_2
- (no CPE)range: < 1:3.0.7-6.el9_2
- (no CPE)range: < 1:3.0.7-6.el9_2
- (no CPE)range: < 3.0.1-150400.4.11.1
- (no CPE)range: < 3.0.1-150400.4.11.1
- Range: Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-4f63-89w9-3jjvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3358ghsaADVISORY
- security.gentoo.org/glsa/202402-08ghsavendor-advisoryWEB
- git.openssl.org/gitweb/ghsaWEB
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023ghsaWEB
- rustsec.org/advisories/RUSTSEC-2022-0059.htmlghsaWEB
- security.netapp.com/advisory/ntap-20221028-0014ghsaWEB
- www.openssl.org/news/secadv/20221011.txtghsaWEB
- git.openssl.org/gitweb/mitre
- security.netapp.com/advisory/ntap-20221028-0014/mitre
News mentions
0No linked articles in our index yet.