CVE-2025-66199

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.3 through 3.6

Description A TLS 1.3 connection utilizing certificate compression can be manipulated to allocate a substantial buffer prior to decompression, bypassing the configured certificate size limit. This can lead to per-connection memory allocations of approximately 22 MiB and increased CPU usage, potentially causing service degradation or denial of service. The issue arises from the uncompressed certificate length supplied by the peer in a CompressedCertificate message being used to expand a heap buffer without being constrained by the max cert list setting. This affects clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate. Servers that do not request client certificates are not susceptible to client-initiated attacks.

Recommendations OpenSSL version 3.3: Set SSL OP NO RX CERTIFICATE COMPRESSION to disable receiving compressed certificates. OpenSSL version 3.4: Set SSL OP NO RX CERTIFICATE COMPRESSION to disable receiving compressed certificates. OpenSSL version 3.5: Set SSL OP NO RX CERTIFICATE COMPRESSION to disable receiving compressed certificates. OpenSSL version 3.6: Set SSL OP NO RX CERTIFICATE COMPRESSION to disable receiving compressed certificates.