NVD - CVE-2025-69420 (original) (raw)
Description
Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | OpenSSL Software Foundation |
Known Affected Software Configurations Switch to CPE 2.2
Change History
4 change records found show changes
CVE Modified by siemens-SADP 5/12/2026 9:17:26 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://cert-portal.siemens.com/productcert/html/ssa-265688.html |
Initial Analysis by NIST 2/02/2026 1:33:30 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | OR *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (excluding) 3.0.19 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.3.0 up to (excluding) 3.3.6 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.4.0 up to (excluding) 3.4.4 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.5.0 up to (excluding) 3.5.5 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.6.0 up to (excluding) 3.6.1 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.1.1 up to (excluding) 1.1.1ze | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9 Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085 Types: Patch | |
| Added | Reference Type | OpenSSL Software Foundation: https://openssl-library.org/news/secadv/20260127.txt Types: Vendor Advisory |
CVE Modified by CISA-ADP 1/28/2026 3:16:13 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
New CVE Received from OpenSSL Software Foundation 1/27/2026 11:16:34 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | |
| Added | CWE | CWE-754 | |
| Added | Reference | https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9 | |
| Added | Reference | https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a | |
| Added | Reference | https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e | |
| Added | Reference | https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b | |
| Added | Reference | https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085 | |
| Added | Reference | https://openssl-library.org/news/secadv/20260127.txt |