VYPR

Vendor CVEs

OpenSSL Project

All CVEs

379 total · sorted by risk
  • CVE-2026-6331Jun 26, 2026
    risk 0.00cvss epss 0.00

    HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signature length was only checked as not exceeding the MAC length, so a zero-length or…

  • CVE-2026-55655Jun 23, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A…

  • CVE-2026-55653Jun 23, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes…

  • CVE-2025-66199Jan 27, 2026
    risk 0.00cvss epss 0.00

    Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to…

  • CVE-2025-15469Jan 27, 2026
    risk 0.00cvss epss 0.00

    Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as…

  • CVE-2025-15468Jan 27, 2026
    risk 0.00cvss epss 0.01

    Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process…

  • CVE-2025-11187Jan 27, 2026
    risk 0.00cvss epss 0.01

    Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash…

  • CVE-2025-4575May 22, 2025
    risk 0.00cvss epss 0.00

    Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that…

  • CVE-2025-32728Apr 10, 2025
    risk 0.00cvss epss 0.00

    In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

  • CVE-2025-27731Apr 8, 2025
    risk 0.00cvss epss 0.01

    Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally.

  • CVE-2024-2408Jun 9, 2024
    risk 0.00cvss epss 0.01

    The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: …

  • CVE-2024-26306May 13, 2024
    risk 0.00cvss epss 0.01

    iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large…

  • CVE-2023-49210Nov 23, 2023
    risk 0.00cvss epss 0.02

    The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field (used for command execution). NOTE: This vulnerability only affects products that are no…

  • CVE-2023-4807Sep 8, 2023
    risk 0.00cvss epss 0.01

    Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an…

  • CVE-2023-3817Jul 31, 2023
    risk 0.00cvss epss 0.03

    Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters…

  • CVE-2023-3446Jul 19, 2023
    risk 0.00cvss epss 0.06

    Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters…

  • CVE-2023-2975Jul 14, 2023
    risk 0.00cvss epss 0.01

    Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as…

  • CVE-2023-1255Apr 20, 2023
    risk 0.00cvss epss 0.01

    Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare…

  • CVE-2023-0466Mar 28, 2023
    risk 0.00cvss epss 0.02

    The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to…

  • CVE-2023-0465Mar 28, 2023
    risk 0.00cvss epss 0.02

    Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are…

  • CVE-2023-0464Mar 22, 2023
    risk 0.00cvss epss 0.04

    A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that…

  • CVE-2022-4203Feb 24, 2023
    risk 0.00cvss epss 0.01

    A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to…

  • CVE-2022-4304Feb 8, 2023
    risk 0.00cvss epss 0.16

    A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of…

  • CVE-2022-4450Feb 8, 2023
    risk 0.00cvss epss 0.20

    The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing…

  • CVE-2023-0215Feb 8, 2023
    risk 0.00cvss epss 0.04

    The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function…

  • CVE-2023-0216Feb 8, 2023
    risk 0.00cvss epss 0.02

    An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service…

  • CVE-2023-0217Feb 8, 2023
    risk 0.00cvss epss 0.02

    An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted…

  • CVE-2023-0401Feb 8, 2023
    risk 0.00cvss epss 0.02

    A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest…

  • CVE-2022-3996Dec 13, 2022
    risk 0.00cvss epss 0.01

    If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy…

  • CVE-2022-2097Jul 5, 2022
    risk 0.00cvss epss 0.02

    AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in…

  • CVE-2022-1473May 3, 2022
    risk 0.00cvss epss 0.02

    The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys…

  • CVE-2022-1434May 3, 2022
    risk 0.00cvss epss 0.01

    The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an…

  • CVE-2022-1343May 3, 2022
    risk 0.00cvss epss 0.01

    The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate…

  • CVE-2021-4160Jan 28, 2022
    risk 0.00cvss epss 0.04

    There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing…

  • CVE-2021-3711Aug 24, 2021
    risk 0.00cvss epss 0.88

    In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with…

  • CVE-2021-3450Mar 25, 2021
    risk 0.00cvss epss 0.18

    The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve…

  • CVE-2021-28041Mar 5, 2021
    risk 0.00cvss epss 0.03

    ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.

  • CVE-2021-23841Feb 16, 2021
    risk 0.00cvss epss 0.07

    The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field…

  • CVE-2021-23839Feb 16, 2021
    risk 0.00cvss epss 0.03

    OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS…

  • CVE-2020-14145Jun 29, 2020
    risk 0.00cvss epss 0.02

    The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).…

  • CVE-2020-12062Jun 1, 2020
    risk 0.00cvss epss 0.02

    The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory…

  • CVE-2019-1551Dec 6, 2019
    risk 0.00cvss epss 0.14

    There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult…

  • CVE-2019-16905Oct 9, 2019
    risk 0.00cvss epss 0.02

    OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the…

  • CVE-2019-1563Sep 10, 2019
    risk 0.00cvss epss 0.04

    In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message…

  • CVE-2019-1549Sep 10, 2019
    risk 0.00cvss epss 0.06

    OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in…

  • CVE-2019-1547Sep 10, 2019
    risk 0.00cvss epss 0.01

    Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a…

  • CVE-2019-1552Jul 30, 2019
    risk 0.00cvss epss 0.01

    OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options.…

  • CVE-2019-1543Mar 6, 2019
    risk 0.00cvss epss 0.06

    ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12…

  • CVE-2019-1559Feb 27, 2019
    risk 0.00cvss epss 0.17

    If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0…

  • CVE-2018-20685Jan 10, 2019
    risk 0.00cvss epss 0.04

    In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.

Page 6 of 8