CVE-2025-15468

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.3 through 3.6

Description A flaw exists in OpenSSL where the

SSL CIPHER find()

function, when used in a QUIC protocol client or server, can experience a NULL pointer dereference if it receives an unknown cipher suite from its peer. This can lead to a denial of service, causing the process to terminate unexpectedly. The issue was introduced with the addition of QUIC protocol support in version 3.2. The FIPS modules in versions 3.6, 3.5, 3.4, and 3.3 are not affected as the QUIC implementation is outside the OpenSSL FIPS module boundary. The vulnerable function is

SSL CIPHER find()

Recommendations OpenSSL versions 3.3 through 3.6 should be updated to a fixed version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

CVE-2025-15468

Affected Products

Openssl

CVE-2025-15468

Weakness Enumeration

Related Identifiers

Affected Products

References · 9