2430388 – (CVE-2025-69420) CVE-2025-69420 openssl: OpenSSL: Denial of Service via malformed TimeStamp Response

Bug 2430388 (CVE-2025-69420) - CVE-2025-69420 openssl: OpenSSL: Denial of Service via malformed TimeStamp Response

Summary: CVE-2025-69420 openssl: OpenSSL: Denial of Service via malformed TimeStamp Re...

Keywords:
Status:	NEW
Alias:	CVE-2025-69420
Deadline:	2026-01-27
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-16 14:42 UTC by OSIDB Bzimport
Modified:	2026-02-04 04:58 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2026:1601	None	None	None	2026-01-29 20:11:05 UTC
Red Hat Product Errata	RHBA-2026:1605	None	None	None	2026-01-29 22:38:43 UTC
Red Hat Product Errata	RHBA-2026:1875	None	None	None	2026-02-04 04:58:35 UTC
Red Hat Product Errata	RHSA-2026:1472	None	None	None	2026-01-28 08:56:44 UTC
Red Hat Product Errata	RHSA-2026:1473	None	None	None	2026-01-28 09:54:18 UTC

Description OSIDB Bzimport 2026-01-16 14:42:42 UTC

Issue summary: A type confusion vulnerability exists in the TimeStamp Response
verification code where an ASN1_TYPE union member is accessed without first
validating the type, causing an invalid or NULL pointer dereference when
processing a malformed TimeStamp Response file.

Impact summary: An application calling TS_RESP_verify_response() with a
malformed TimeStamp Response can be caused to dereference an invalid or
NULL pointer when reading, resulting in a Denial of Service.

The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()
access the signing cert attribute value without validating its type.
When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory
through the ASN1_TYPE union, causing a crash.

Exploiting this vulnerability requires an attacker to provide a malformed
TimeStamp Response to an application that verifies timestamp responses. The
TimeStamp protocol (RFC 3161) is not widely used and the impact of the
exploit is just a Denial of Service. For these reasons the issue was
assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the TimeStamp Response implementation is outside the OpenSSL FIPS module
boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

OpenSSL 3.6 users should upgrade to OpenSSL 3.6.1.

OpenSSL 3.5 users should upgrade to OpenSSL 3.5.5.

OpenSSL 3.4 users should upgrade to OpenSSL 3.4.4.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.6.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.19.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1ze.
(premium support customers only).

Comment 2 errata-xmlrpc 2026-01-28 08:56:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1472 https://access.redhat.com/errata/RHSA-2026:1472

Comment 3 errata-xmlrpc 2026-01-28 09:54:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1473 https://access.redhat.com/errata/RHSA-2026:1473

Note You need to log in before you can comment on or make changes to this bug.