OpenSSL Library private key recovery flaw (CVE-2025-9231)

Vulnerability

First reported

01.10.2025 16:59

Last updated

01.10.2025 16:59

Happening score

H score 11

1 unique sources, 1 articles

Summary

Hide ▲

OpenSSL patched CVE-2025-9231, a private-key recovery flaw affecting the SM2 implementation on 64-bit ARM platforms. The issue is rated moderate severity and could matter where a custom provider enables SM2 certificates in TLS. If abused, recovery of the key could enable decryption of traffic or a MitM attack.

Timeline

01.10.2025 16:59 2 articles · 7mo ago

OpenSSL releases patches for CVE-2025-9231 and related flaws

Mitigation Patch Update
The OpenSSL Project released versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm and 1.1.1zd to patch CVE-2025-9230, CVE-2025-9231 and CVE-2025-9232. CVE-2025-9231 affects the SM2 algorithm implementation on 64-bit ARM platforms and may allow private key recovery in a custom provider context using remote timing measurements.
Show sources

OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks — www.securityweek.com — 01.10.2025 16:59

OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks — www.securityweek.com — 01.10.2025 16:59
Open in new tab

Summary

Timeline

OpenSSL releases patches for CVE-2025-9231 and related flaws