VYPR

apk package

chainguard/openssl-provider-fips-3.4.0-dbg

pkg:apk/chainguard/openssl-provider-fips-3.4.0-dbg

Vulnerabilities (12)

  • CVE-2026-9076HigJun 9, 2026
    affected < 0fixed 0

    Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash w

  • CVE-2026-45445HigJun 9, 2026
    affected < 0fixed 0

    Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce re

  • CVE-2026-42770LowJun 9, 2026
    affected < 3.4.0-r4fixed 3.4.0-r4

    Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small

  • CVE-2026-42769MedJun 9, 2026
    affected < 0fixed 0

    Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Auth

  • CVE-2026-34180HigJun 9, 2026
    affected < 0fixed 0

    Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial

  • CVE-2026-28387HigApr 7, 2026
    affected < 0fixed 0

    Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of po

  • CVE-2025-9232MedSep 30, 2025
    affected < 0fixed 0

    Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can

  • CVE-2025-9231MedSep 30, 2025
    affected < 0fixed 0

    Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recov

  • CVE-2025-9230HigSep 30, 2025
    affected < 0fixed 0

    Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds

  • CVE-2025-4575May 22, 2025
    affected < 0fixed 0

    Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that u

  • CVE-2024-12797MedFeb 11, 2025
    affected < 0fixed 0

    Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u

  • CVE-2024-13176MedJan 20, 2025
    affected < 3.4.0-r4fixed 3.4.0-r4

    Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measurin