CVE-2025-69418
Description
Issue summary: When using the low-level OCB API directly with AES-NI orother hardware-accelerated code paths, inputs whose length is not a multipleof 16 bytes can leave the final partial block unencrypted and unauthenticated.Impact summary: The trailing 1-15 bytes of a message may be exposed incleartext on encryption and are not covered by the authentication tag,allowing an attacker to read or tamper with those bytes without detection.The low-level OCB encrypt and decrypt routines in the hardware-acceleratedstream path process full 16-byte blocks but do not advance the input/outputpointers. The subsequent tail-handling code then operates on the originalbase pointers, effectively reprocessing the beginning of the buffer whileleaving the actual trailing bytes unprocessed. The authentication checksumalso excludes the true tail bytes.However, typical OpenSSL consumers using EVP are not affected because thehigher-level EVP and provider OCB implementations split inputs so that fullblocks and trailing partial blocks are processed in separate calls, avoidingthe problematic code path. Additionally, TLS does not use OCB ciphersuites.The vulnerability only affects applications that call the low-levelCRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly withnon-block-aligned lengths in a single call on hardware-accelerated builds.For these reasons the issue was assessed as Low severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affectedby this issue, as OCB mode is not a FIPS-approved algorithm.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Low-level OCB encryption in OpenSSL using AES-NI leaves trailing 1-15 bytes unencrypted and unauthenticated due to pointer update failure.
Description
The vulnerability resides in the low-level OCB encrypt and decrypt routines (CRYPTO_ocb128_encrypt() and CRYPTO_ocb128_decrypt()) when using hardware-accelerated code paths such as AES-NI. When processing input whose length is not a multiple of 16 bytes, the routines correctly encrypt or decrypt full 16-byte blocks via the hardware stream function, but the input and output pointers are not advanced after processing those full blocks [3][4]. Consequently, the subsequent tail-handling code then operates on the original buffer start, effectively leaving the actual trailing bytes (the final 1–15 bytes) unprocessed bytes) unencrypted on encryption and unauthenticated on both encryption and decryption. The authentication checksum also excludes these true tail bytes, so an attacker can tamper with them without detection [2].
Exploitation
The attack surface is narrow: typical OpenSSL consumers using the EVP interface or the OpenSSL provider OCB implementation are not affected because those higher-level layers split inputs so that full blocks and trailing partial blocks are processed in separate calls, avoiding the problematic code path [2]. Additionally, TLS does not use OCB ciphersuites. Therefore, only applications that call the low-level OCB API directly with a single input that is not a multiple of 16 bytes, and run on builds that use hardware acceleration (e.g., AES-NI), are vulnerable. No special network position or authentication is required beyond the ability to supply such misaligned data to the vulnerable functions [2].
Impact
An attacker exploiting this issue can read the trailing 1–15 bytes of a message in cleartext (instead of ciphertext) when encryption is performed, and can modify those bytes without the authentication tag reflecting the change. This defeats the confidentiality and integrity guarantees of OCB mode for those bytes, potentially leaking sensitive data or allowing undetected tampering with the tail of a message. The vulnerability has been assessed as Low severity by the OpenSSL project due to the limited attack surface [2].
Mitigation
OpenSSL versions 3.6, 3.5, 3.4, 3.3, 3.0, and 1.1.1 are vulnerable; OpenSSL 1.0.2 is not affected [2]. The fix is provided in commits for the affected versions, adding a processed_bytes variable and correctly advancing the in and out pointers after the hardware stream call [3][4]. Siemens has also listed this CVE listed as affecting the SIMATIC S7-1500 TM MFP - GNU/Linux subsystem, although no specific remediation is yet listed [1]. Users are advised to update to the latest OpenSSL releases (3.6.1, 3.5.5, 3.4.4, etc.) or apply the patch [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
23.0-POST-CLANG-FORMAT-WEBKIT, 3.0-PRE-CLANG-FORMAT-WEBKIT, 3.3-POST-CLANG-FORMAT-WEBKIT, …+ 1 more
- (no CPE)range: 3.0-POST-CLANG-FORMAT-WEBKIT, 3.0-PRE-CLANG-FORMAT-WEBKIT, 3.3-POST-CLANG-FORMAT-WEBKIT, …
- (no CPE)range: 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffcnvdPatch
- github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8nvdPatch
- github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347nvdPatch
- github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5aenvdPatch
- github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977nvdPatch
- openssl-library.org/news/secadv/20260127.txtnvdVendor Advisory
- cert-portal.siemens.com/productcert/html/ssa-265688.htmlnvd
News mentions
0No linked articles in our index yet.