VYPR
Medium severity4.0OSV Advisory· Published Jan 27, 2026· Updated May 12, 2026

CVE-2025-69418

CVE-2025-69418

Description

Issue summary: When using the low-level OCB API directly with AES-NI orother hardware-accelerated code paths, inputs whose length is not a multipleof 16 bytes can leave the final partial block unencrypted and unauthenticated.Impact summary: The trailing 1-15 bytes of a message may be exposed incleartext on encryption and are not covered by the authentication tag,allowing an attacker to read or tamper with those bytes without detection.The low-level OCB encrypt and decrypt routines in the hardware-acceleratedstream path process full 16-byte blocks but do not advance the input/outputpointers. The subsequent tail-handling code then operates on the originalbase pointers, effectively reprocessing the beginning of the buffer whileleaving the actual trailing bytes unprocessed. The authentication checksumalso excludes the true tail bytes.However, typical OpenSSL consumers using EVP are not affected because thehigher-level EVP and provider OCB implementations split inputs so that fullblocks and trailing partial blocks are processed in separate calls, avoidingthe problematic code path. Additionally, TLS does not use OCB ciphersuites.The vulnerability only affects applications that call the low-levelCRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly withnon-block-aligned lengths in a single call on hardware-accelerated builds.For these reasons the issue was assessed as Low severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affectedby this issue, as OCB mode is not a FIPS-approved algorithm.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

55

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.