Bug 2396054 (CVE-2025-9230)

Summary: CVE-2025-9230 openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, alcohan, anthomas, bkabrda, brasmith, bsmejkal, cochase, crizzo, csutherl, dbosanac, dranck, ehelms, eshamard, ggainey, gotiwari, gparvin, gtanzill, jachapma, jbalunas, jbuscemi, jcantril, jclere, jgrulich, jhorak, jmitchel, jreimann, juwatts, jvasik, jwendell, kaycoth, kshier, lball, mdessi, mhulan, mrizzi, mvyas, ngough, nicolas.koechling, nmoumoul, osousa, owatkins, pahickey, pbohmill, pcattana, pcreech, pjindal, plodge, progier, rblanco, rcernich, rchan, rhaigner, rojacob, sdawley, security-response-team, smallamp, spichugi, ssidhaye, stcannon, szappis, tbordaz, teagle, tmalecek, tpopela, vashirov, vchlup, veshanka, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the OpenSSL CMS implementation (RFC 3211 KEK Unwrap). This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption (PWRI).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2400658, 2400660, 2400670, 2400672, 2400659, 2400661, 2400662, 2400663, 2400664, 2400665, 2400666, 2400668, 2400674, 2400676, 2400678, 2400680, 2400682    
Bug Blocks:    
Deadline: 2025-09-30   

Description OSIDB Bzimport 2025-09-17 12:18:14 UTC 
Issue summary: An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write.

Impact summary: This out-of-bounds read may trigger a crash which leads to
Denial of Service for an application. The out-of-bounds write can cause
a memory corruption which can have various consequences including
a Denial of Service or Execution of attacker-supplied code.

Although the consequences of a successful exploit of this vulnerability
could be severe, the probability that the attacker would be able to
perform it is low. Besides, password based (PWRI) encryption support in CMS
messages is very rarely used. For that reason the issue was assessed as
Moderate severity according to our Security Policy.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.

OpenSSL 3.5, 3.4, 3.3, 3.2, 3.0 and 1.1.1 are vulnerable to this issue.
Comment 2 errata-xmlrpc 2025-11-12 22:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:21174 https://access.redhat.com/errata/RHSA-2025:21174
Comment 3 errata-xmlrpc 2025-11-13 11:05:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:21248 https://access.redhat.com/errata/RHSA-2025:21248
Comment 4 errata-xmlrpc 2025-11-13 11:26:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:21255 https://access.redhat.com/errata/RHSA-2025:21255
Comment 5 errata-xmlrpc 2025-11-17 15:18:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:21562 https://access.redhat.com/errata/RHSA-2025:21562
Comment 6 errata-xmlrpc 2025-12-08 01:34:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:22794 https://access.redhat.com/errata/RHSA-2025:22794
Comment 8 errata-xmlrpc 2026-01-08 12:44:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0337 https://access.redhat.com/errata/RHSA-2026:0337
Comment 10 errata-xmlrpc 2026-01-14 13:24:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.20

Via RHSA-2026:0420 https://access.redhat.com/errata/RHSA-2026:0420
Comment 11 errata-xmlrpc 2026-01-14 14:40:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:0602 https://access.redhat.com/errata/RHSA-2026:0602
Comment 12 errata-xmlrpc 2026-01-15 15:56:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:0714 https://access.redhat.com/errata/RHSA-2026:0714
Comment 13 errata-xmlrpc 2026-01-15 18:55:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:0332 https://access.redhat.com/errata/RHSA-2026:0332
Comment 14 errata-xmlrpc 2026-01-19 11:08:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:0794 https://access.redhat.com/errata/RHSA-2026:0794
Comment 15 errata-xmlrpc 2026-01-20 16:09:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:0887 https://access.redhat.com/errata/RHSA-2026:0887
Comment 17 errata-xmlrpc 2026-01-22 19:07:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2026:0702 https://access.redhat.com/errata/RHSA-2026:0702
Comment 18 errata-xmlrpc 2026-01-22 20:17:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2026:0674 https://access.redhat.com/errata/RHSA-2026:0674
Comment 19 errata-xmlrpc 2026-01-27 13:56:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:1349 https://access.redhat.com/errata/RHSA-2026:1349
Comment 20 errata-xmlrpc 2026-01-28 09:17:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:1475 https://access.redhat.com/errata/RHSA-2026:1475
Comment 21 errata-xmlrpc 2026-02-02 14:36:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:1720 https://access.redhat.com/errata/RHSA-2026:1720
Comment 23 errata-xmlrpc 2026-02-17 09:10:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2771 https://access.redhat.com/errata/RHSA-2026:2771
Comment 24 errata-xmlrpc 2026-02-17 09:24:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2776 https://access.redhat.com/errata/RHSA-2026:2776
Comment 25 errata-xmlrpc 2026-02-23 19:17:12 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2026:2994 https://access.redhat.com/errata/RHSA-2026:2994
Comment 26 errata-xmlrpc 2026-02-23 19:19:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services 2.4.62.SP3

Via RHSA-2026:2995 https://access.redhat.com/errata/RHSA-2026:2995
Comment 28 errata-xmlrpc 2026-02-24 10:03:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:3164 https://access.redhat.com/errata/RHSA-2026:3164
Comment 30 errata-xmlrpc 2026-02-26 14:42:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2026:2974 https://access.redhat.com/errata/RHSA-2026:2974
Comment 31 errata-xmlrpc 2026-03-05 11:24:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2026:3415 https://access.redhat.com/errata/RHSA-2026:3415
Comment 32 errata-xmlrpc 2026-03-12 02:48:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2026:3861 https://access.redhat.com/errata/RHSA-2026:3861