Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68160

CVE-2025-68160: OpenSSL Line-Buffering BIO DoS Vulnerability

CVE-2025-68160 is a denial of service vulnerability in OpenSSL's line-buffering BIO filter that causes heap-based memory corruption. This article covers the technical details, affected versions, impact assessment, and mitigation.

Published:

CVE-2025-68160 Overview

CVE-2025-68160 is a heap-based out-of-bounds write vulnerability affecting OpenSSL's line-buffering BIO filter (BIO_f_linebuffer). The vulnerability is triggered when writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO in the chain performs short writes. This memory corruption issue can result in application crashes, leading to a Denial of Service condition.

Critical Impact

Applications using the BIO_f_linebuffer filter with BIO chains that can short-write are susceptible to heap corruption and potential denial of service when processing large, newline-free input data.

Affected Products

  • OpenSSL 3.6
  • OpenSSL 3.5
  • OpenSSL 3.4
  • OpenSSL 3.3
  • OpenSSL 3.0
  • OpenSSL 1.1.1
  • OpenSSL 1.0.2

Discovery Timeline

  • 2026-01-27 - CVE-2025-68160 published to NVD
  • 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2025-68160

Vulnerability Analysis

This vulnerability (CWE-787: Out-of-bounds Write) occurs within the BIO_f_linebuffer filter implementation in OpenSSL. The line-buffering BIO filter is designed to buffer output data until a newline character is encountered, at which point the buffered data is flushed to the next BIO in the chain.

The flaw manifests when large amounts of data without newline characters are written to a BIO chain where BIO_f_linebuffer is active and the subsequent BIO performs short writes (writes fewer bytes than requested). Under these conditions, the filter's internal buffer management logic fails to properly account for the partial write, resulting in heap memory being written beyond its allocated bounds.

While the vulnerability requires a local attack vector with low-privileged access and has high complexity to exploit, successful exploitation leads to memory corruption that typically crashes the application. The FIPS modules in OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0 are not affected as the BIO implementation exists outside the FIPS module boundary.

Root Cause

The root cause lies in improper boundary validation within the BIO_f_linebuffer implementation when handling short writes from downstream BIOs. When the next BIO in the chain writes fewer bytes than the line buffer provides, the filter's internal state becomes inconsistent, leading to subsequent write operations targeting memory addresses beyond the allocated heap buffer.

The line-buffering filter is not used by default in TLS/SSL data paths, which limits the attack surface. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain capable of short-writes and that process large, newline-free data influenced by an attacker would be affected.

Attack Vector

Exploitation requires a local attacker with low privileges to influence an application that:

  1. Explicitly uses the BIO_f_linebuffer filter in its BIO chain
  2. Has a subsequent BIO that can perform short writes
  3. Processes large, newline-free data that could be influenced by the attacker

The vulnerability mechanism involves writing data to trigger the buffer overflow condition. When the downstream BIO short-writes, the line buffer's internal pointer tracking becomes corrupted, causing subsequent operations to write data past the end of the heap-allocated buffer. This heap corruption typically manifests as an application crash.

For detailed technical information about the vulnerability and its patches, see the OpenSSL Security Advisory.

Detection Methods for CVE-2025-68160

Indicators of Compromise

  • Unexpected application crashes in processes using OpenSSL libraries
  • Segmentation faults or heap corruption errors in application logs
  • Core dumps showing memory access violations in BIO-related functions
  • Unusual memory allocation patterns in OpenSSL-linked applications

Detection Strategies

  • Monitor system logs for application crashes involving OpenSSL library components
  • Implement memory sanitizers (AddressSanitizer) during development to detect heap overflow conditions
  • Use runtime application self-protection tools to detect out-of-bounds memory access
  • Deploy SentinelOne Singularity Platform to detect and prevent memory corruption exploitation attempts

Monitoring Recommendations

  • Enable detailed crash logging for applications utilizing OpenSSL
  • Monitor for repeated application restarts that may indicate DoS exploitation attempts
  • Track OpenSSL version inventory across the environment to identify vulnerable deployments
  • Implement alerting on unusual patterns of application failures

How to Mitigate CVE-2025-68160

Immediate Actions Required

  • Inventory all systems and applications using affected OpenSSL versions (3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, 1.0.2)
  • Prioritize patching for applications that explicitly use BIO_f_linebuffer with user-influenced data
  • Review custom applications for direct use of the line-buffering BIO filter
  • Apply vendor patches as they become available for affected OpenSSL versions

Patch Information

OpenSSL has released security patches addressing this vulnerability across all affected versions. The patches correct the buffer management logic in the BIO_f_linebuffer implementation to properly handle short writes from downstream BIOs.

Relevant patch commits are available on GitHub:

For complete advisory details, refer to the OpenSSL Security Advisory.

Workarounds

  • Avoid using BIO_f_linebuffer in applications that process untrusted or attacker-influenced data
  • Implement input validation to limit the size of newline-free data blocks processed through BIO chains
  • Consider removing the line-buffering filter from BIO chains where short-writes are possible
  • Restrict the maximum buffer size for BIO operations processing external data
bash
# Check OpenSSL version on the system
openssl version -a

# Identify processes using OpenSSL libraries
lsof | grep libssl

# List installed OpenSSL packages (Debian/Ubuntu)
dpkg -l | grep openssl

# List installed OpenSSL packages (RHEL/CentOS)
rpm -qa | grep openssl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.