DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-69420: OpenSSL TimeStamp: When a C Union Breaks the State of the Union

#security #cve #cybersecurity

OpenSSL TimeStamp: When a C Union Breaks the State of the Union

Vulnerability ID: CVE-2025-69420
CVSS Score: 7.5
Published: 2026-01-27

A classic type confusion vulnerability in OpenSSL's TimeStamp Protocol (TSP) implementation allows attackers to crash applications by supplying malformed ASN.1 structures. By treating a generic ASN.1 type as a Sequence without validation, the library performs an invalid pointer dereference, leading to a reliable Denial of Service.

TL;DR

OpenSSL trusted a C union without checking the tag. If you send a TimeStamp Response where the 'signing certificate' is an Integer instead of a Sequence, OpenSSL tries to read memory that isn't there. Result: Crash. Impact: DoS.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-754 / CWE-843
  • Attack Vector: Network
  • CVSS v3.1: 7.5 (High)
  • EPSS: 0.07%
  • Impact: Denial of Service
  • Exploit Status: PoC Possible (Trivial)

Affected Systems

  • OpenSSL 3.6.0
  • OpenSSL 3.5.0
  • OpenSSL 3.4.0
  • OpenSSL 3.3.0
  • OpenSSL 3.0.0
  • OpenSSL 1.1.1
  • OpenSSL: 3.6.0 (Fixed in: 3.6.1)
  • OpenSSL: 3.5.0 (Fixed in: 3.5.5)
  • OpenSSL: 3.4.0 (Fixed in: 3.4.4)
  • OpenSSL: 3.3.0 (Fixed in: 3.3.6)
  • OpenSSL: 3.0.0 (Fixed in: 3.0.19)

Code Analysis

Commit: 27c7012

Fix for ASN1_TYPE confusion in timestamp verification

static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
 {
     ASN1_TYPE *attr;
     const unsigned char *p;

     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
-    if (attr == NULL)
+    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
         return NULL;
     p = attr->value.sequence->data;
     return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
 }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Context: No public exploit released, but trivial to implement via ASN.1 mutation.

Mitigation Strategies

  • Update OpenSSL to the latest patched release.
  • Disable TimeStamp Protocol (TSP) verification if not critical to business logic.
  • Implement network-level filtering for malformed ASN.1 structures (difficult without specific WAF rules).

Remediation Steps:

  1. Identify all systems linking against libcrypto / OpenSSL.
  2. Check the OpenSSL version using openssl version.
  3. Apply the vendor patch or upgrade to a fixed release (e.g., 3.4.4, 3.0.19).
  4. Restart all dependent services (web servers, load balancers, signing appliances).

References

Read the full report for CVE-2025-69420 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)