Bugs in OpenSSL Allowed Recovery of Private Key, Code Execution, and DoS Attacks

OpenSSL developers have released several new versions of the open-source SSL/TLS toolkit to address three security vulnerabilities discovered in recent builds.

The patched releases — OpenSSL 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd, and 1.0.2zm — fix vulnerabilities tracked as CVE-2025-9230, CVE-2025-9231, and CVE-2025-9232.

Two of the flaws are rated medium severity, while the third (CVE-2025-9231) poses a higher risk because it allows an attacker to recover a private key. Since OpenSSL is widely used to secure communications for websites, applications, and network services, an attacker who obtains such a key could decrypt protected traffic or perform man-in-the-middle (MitM) attacks.

However, the OpenSSL team emphasized that CVE-2025-9231 only affects the SM2 algorithm implementation on 64-bit ARM platforms.

“OpenSSL does not directly support certificates with SM2 keys in TLS, so this vulnerability is not relevant in most TLS contexts,” the developers explained. “However, because support for such certificates can be added through a custom provider — and since private keys could theoretically be recovered via remote timing measurements — we rated this issue as medium severity.”

The second vulnerability, CVE-2025-9230, is an out-of-bounds read/write flaw that can be exploited to execute arbitrary code or trigger denial-of-service (DoS) conditions.

“Although the potential consequences of successful exploitation are serious, the likelihood of an attacker being able to do so is very low,” the OpenSSL security bulletin notes.

The third flaw, CVE-2025-9232, is considered low severity and could cause affected applications to crash, also leading to DoS attacks.

OpenSSL users are urged to update to the latest versions immediately to mitigate these risks.