CVE-2025-69418 Overview
CVE-2025-69418 is a cryptographic vulnerability in OpenSSL's OCB (Offset Codebook) mode implementation affecting hardware-accelerated code paths including AES-NI. When applications directly use the low-level CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions with input lengths that are not multiples of 16 bytes, the trailing 1-15 bytes may be left unencrypted and unauthenticated, potentially exposing sensitive data in cleartext.
Critical Impact
The trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag, allowing an attacker to read or tamper with those bytes without detection.
Affected Products
- OpenSSL 3.6
- OpenSSL 3.5
- OpenSSL 3.4
- OpenSSL 3.3
- OpenSSL 3.0
- OpenSSL 1.1.1
Discovery Timeline
- January 27, 2026 - CVE-2025-69418 published to NVD
- January 29, 2026 - Last updated in NVD database
Technical Details for CVE-2025-69418
Vulnerability Analysis
This vulnerability exists in the hardware-accelerated stream path of OpenSSL's OCB mode encryption and decryption routines. The core issue is a pointer management flaw in the crypto/modes/ocb128.c file. When processing data through AES-NI or other hardware acceleration, the code correctly processes full 16-byte blocks but fails to advance the input/output pointers after this processing.
The subsequent tail-handling code, which is responsible for processing any remaining bytes that don't fill a complete 16-byte block, operates on the original base pointers rather than the updated positions. This results in the tail-handling code reprocessing the beginning of the buffer while leaving the actual trailing bytes completely unprocessed.
Critically, the authentication checksum calculation also excludes these true tail bytes, meaning an attacker could potentially modify these trailing bytes without the tampering being detected through the authentication tag verification.
It's important to note that typical OpenSSL consumers using the higher-level EVP (Envelope) API are not affected. The EVP and provider OCB implementations split inputs so that full blocks and trailing partial blocks are processed in separate calls, avoiding the problematic code path. Additionally, TLS does not use OCB ciphersuites, further limiting the exposure. The FIPS modules in versions 3.6, 3.5, 3.4, 3.3, 3.2, 3.1, and 3.0 are also unaffected since OCB mode is not a FIPS-approved algorithm.
Root Cause
The root cause is classified under CWE-325 (Missing Cryptographic Step). The low-level OCB encrypt and decrypt routines in the hardware-accelerated stream path process full 16-byte blocks but fail to advance the input/output pointers after processing. When the tail-handling code executes, it operates on the original base pointers, effectively reprocessing the beginning of the buffer while leaving the actual trailing bytes (1-15 bytes) unprocessed and unprotected by the authentication mechanism.
Attack Vector
The attack vector requires local access and targets applications that directly call CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions with non-block-aligned lengths in a single call on hardware-accelerated builds. An attacker with visibility into encrypted communications could:
- Read the trailing 1-15 bytes of plaintext that were not encrypted
- Modify these trailing bytes without detection since they are excluded from the authentication tag
- Exploit the lack of integrity protection to tamper with message data
The following patch from the OpenSSL repository addresses the pointer advancement issue:
if (num_blocks && all_num_blocks == (size_t)all_num_blocks
&& ctx->stream != NULL) {
- size_t max_idx = 0, top = (size_t)all_num_blocks;
+ size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0;
/*
* See how many L_{i} entries we need to process data at hand
Source: GitHub OpenSSL Commit 372fc5c7
Detection Methods for CVE-2025-69418
Indicators of Compromise
- Applications directly calling CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() with non-16-byte-aligned input lengths
- Presence of vulnerable OpenSSL versions (3.6, 3.5, 3.4, 3.3, 3.0, or 1.1.1) in the environment
- Applications using hardware-accelerated (AES-NI) builds of OpenSSL with low-level OCB API calls
Detection Strategies
- Inventory all systems running affected OpenSSL versions (3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1) using software composition analysis tools
- Audit application code for direct usage of CRYPTO_ocb128_encrypt() and CRYPTO_ocb128_decrypt() functions
- Review cryptographic implementations for non-block-aligned input handling in OCB mode operations
Monitoring Recommendations
- Monitor for applications using low-level OpenSSL cryptographic APIs rather than the recommended EVP interfaces
- Track OpenSSL library versions across your infrastructure to ensure timely patching
- Implement SentinelOne Singularity to detect anomalous cryptographic behavior and unauthorized memory access patterns
How to Mitigate CVE-2025-69418
Immediate Actions Required
- Update OpenSSL to the patched versions addressing CVE-2025-69418
- Migrate applications from low-level OCB API calls to the higher-level EVP interface which is not affected
- Verify that OpenSSL 1.0.2 is used if upgrade is not immediately possible (this version is not affected)
Patch Information
OpenSSL has released patches addressing this vulnerability. Multiple commits have been published to fix the pointer advancement issue in the OCB implementation:
- OpenSSL Commit 372fc5c7
- OpenSSL Commit 4016975d
- OpenSSL Commit 52d23c86
- OpenSSL Commit a7589230
- OpenSSL Commit ed40856d
For detailed information, refer to the OpenSSL Security Advisory.
Workarounds
- Refactor applications to use the EVP API instead of direct CRYPTO_ocb128_encrypt() and CRYPTO_ocb128_decrypt() calls
- Ensure input data is padded to 16-byte block boundaries before calling low-level OCB functions
- Consider using alternative authenticated encryption modes (e.g., GCM) that do not have this vulnerability
# Check OpenSSL version and identify affected systems
openssl version -a
# Verify library path for affected installations
ldd /usr/bin/openssl | grep libcrypto
# Search for applications using vulnerable low-level OCB APIs
grep -r "CRYPTO_ocb128_encrypt\|CRYPTO_ocb128_decrypt" /path/to/application/source
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
