{"id":"CVE-2025-69420","details":"Issue summary: A type confusion vulnerability exists in the TimeStamp Response\nverification code where an ASN1_TYPE union member is accessed without first\nvalidating the type, causing an invalid or NULL pointer dereference when\nprocessing a malformed TimeStamp Response file.\n\nImpact summary: An application calling TS_RESP_verify_response() with a\nmalformed TimeStamp Response can be caused to dereference an invalid or\nNULL pointer when reading, resulting in a Denial of Service.\n\nThe functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()\naccess the signing cert attribute value without validating its type.\nWhen the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory\nthrough the ASN1_TYPE union, causing a crash.\n\nExploiting this vulnerability requires an attacker to provide a malformed\nTimeStamp Response to an application that verifies timestamp responses. The\nTimeStamp protocol (RFC 3161) is not widely used and the impact of the\nexploit is just a Denial of Service. For these reasons the issue was\nassessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the TimeStamp Response implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.","modified":"2026-03-23T05:13:16.365472375Z","published":"2026-01-27T16:16:34.317Z","related":["ALSA-2026:1472","ALSA-2026:1473","CGA-f7hh-h68c-h67j","MGASA-2026-0029","SUSE-SU-2026:0309-1","SUSE-SU-2026:0310-1","SUSE-SU-2026:0311-1","SUSE-SU-2026:0312-1","SUSE-SU-2026:0331-1","SUSE-SU-2026:0332-1","SUSE-SU-2026:0333-1","SUSE-SU-2026:0343-1","SUSE-SU-2026:0346-1","SUSE-SU-2026:0358-1","SUSE-SU-2026:0359-1","SUSE-SU-2026:0360-1","SUSE-SU-2026:0498-1","SUSE-SU-2026:20211-1","SUSE-SU-2026:20223-1","SUSE-SU-2026:20349-1","SUSE-SU-2026:20373-1","openSUSE-SU-2026:10237-1","openSUSE-SU-2026:20152-1"],"references":[{"type":"ADVISORY","url":"https://openssl-library.org/news/secadv/20260127.txt"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b"},{"type":"FIX","url":"https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssl/openssl","events":[{"introduced":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"fixed":"e04bd3433fd84e1861bf258ea37928d9845e6a86"},{"introduced":"89cd17a031e022211684eb7eb41190cf1910f9fa"},{"fixed":"a22063cd69a077cc68bb4c10e9f351f75899b194"},{"introduced":"4cb31128b5790819dfeea2739fbde265f71a10a2"},{"fixed":"4601ff25acd6c2fe58a8bfe241e6c470e27b8074"},{"introduced":"98acb6b02839c609ef5b837794e08d906d965335"},{"fixed":"565bdcc41bbf89fcbaf962636469332689f0c9fd"},{"introduced":"636dfadc70ce26f2473870570bfd9ec352806b1d"},{"fixed":"67b5686b4419b4cb8caa502711c41815f5279751"},{"introduced":"7b371d80d959ec9ab4139d09d78e83c090de9779"},{"fixed":"c9a9e5b10105ad850b6e4d1122c645c67767c341"},{"fixed":"27c7012c91cc986a598d7540f3079dfde2416eb9"},{"fixed":"4e254b48ad93cc092be3dd62d97015f33f73133a"},{"fixed":"564fd9c73787f25693bf9e75faf7bf6bb1305d4e"},{"fixed":"5eb0770ffcf11b785cf374ff3c19196245e54f1b"},{"fixed":"a99349ebfc519999edc50620abe24d599b9eb085"}],"database_specific":{"versions":[{"introduced":"1.1.1"},{"fixed":"1.1.1ze"},{"introduced":"3.0.0"},{"fixed":"3.0.19"},{"introduced":"3.3.0"},{"fixed":"3.3.6"},{"introduced":"3.4.0"},{"fixed":"3.4.4"},{"introduced":"3.5.0"},{"fixed":"3.5.5"},{"introduced":"3.6.0"},{"fixed":"3.6.1"}]}}],"versions":["3.0-POST-CLANG-FORMAT-WEBKIT","3.0-PRE-CLANG-FORMAT-WEBKIT","3.3-POST-CLANG-FORMAT-WEBKIT","3.3-PRE-CLANG-FORMAT-WEBKIT","3.4-POST-CLANG-FORMAT-WEBKIT","3.4-PRE-CLANG-FORMAT-WEBKIT","3.5-POST-CLANG-FORMAT-WEBKIT","3.5-PRE-CLANG-FORMAT-WEBKIT","3.6-POST-CLANG-FORMAT-WEBKIT","3.6-PRE-CLANG-FORMAT-WEBKIT","OpenSSL_1_1_1w","openssl-3.0.0","openssl-3.0.1","openssl-3.0.10","openssl-3.0.11","openssl-3.0.12","openssl-3.0.13","openssl-3.0.14","openssl-3.0.15","openssl-3.0.16","openssl-3.0.17","openssl-3.0.18","openssl-3.0.2","openssl-3.0.3","openssl-3.0.4","openssl-3.0.5","openssl-3.0.6","openssl-3.0.7","openssl-3.0.8","openssl-3.0.9","openssl-3.3.0","openssl-3.3.1","openssl-3.3.2","openssl-3.3.3","openssl-3.3.4","openssl-3.3.5","openssl-3.4.0","openssl-3.4.1","openssl-3.4.2","openssl-3.4.3","openssl-3.5.0","openssl-3.5.1","openssl-3.5.2","openssl-3.5.3","openssl-3.5.4","openssl-3.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69420.json","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["201888226879888819651681590595522968327","55997044344403922093111884346552998173","4978588019549099552408349898016254549","176160634447836910802018056675653643760","129627066050902738130928955327242745830","329755338793737530275862164871587223473","38252633268232289492692485526011033030","55868587811027651874806109339695070292"]},"source":"https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e","target":{"file":"crypto/ts/ts_rsp_verify.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2025-69420-1f47a4bf","deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["201888226879888819651681590595522968327","55997044344403922093111884346552998173","4978588019549099552408349898016254549","176160634447836910802018056675653643760","129627066050902738130928955327242745830","329755338793737530275862164871587223473","38252633268232289492692485526011033030","55868587811027651874806109339695070292"]},"source":"https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9","target":{"file":"crypto/ts/ts_rsp_verify.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2025-69420-4114d774","deprecated":false},{"digest":{"function_hash":"278237621881370507895367925432790678808","length":302},"source":"https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2025-69420-4d9da00d","target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert"}},{"digest":{"threshold":0.9,"line_hashes":["201888226879888819651681590595522968327","55997044344403922093111884346552998173","4978588019549099552408349898016254549","176160634447836910802018056675653643760","129627066050902738130928955327242745830","329755338793737530275862164871587223473","38252633268232289492692485526011033030","55868587811027651874806109339695070292"]},"source":"https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085","deprecated":false,"target":{"file":"crypto/ts/ts_rsp_verify.c"},"signature_type":"Line","id":"CVE-2025-69420-5b510dc0","signature_version":"v1"},{"digest":{"function_hash":"281745662143339069291279319188916354096","length":304},"source":"https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9","deprecated":false,"target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert_v2"},"signature_type":"Function","id":"CVE-2025-69420-81eb58fe","signature_version":"v1"},{"digest":{"function_hash":"278237621881370507895367925432790678808","length":302},"source":"https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a","target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert"},"signature_version":"v1","signature_type":"Function","id":"CVE-2025-69420-9a34b20b","deprecated":false},{"digest":{"function_hash":"278237621881370507895367925432790678808","length":302},"source":"https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085","target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert"},"signature_version":"v1","id":"CVE-2025-69420-bb58f1b7","signature_type":"Function","deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["28170854778703993674264004058177114599","73132526844288570625317440636111911761","177405411499435185068645597737938634778","224809958623850711330610094965797758930","295554444428855106393106961197201359586"]},"source":"https://github.com/openssl/openssl/commit/e04bd3433fd84e1861bf258ea37928d9845e6a86","target":{"file":"include/openssl/opensslv.h"},"signature_version":"v1","signature_type":"Line","id":"CVE-2025-69420-c377fa22","deprecated":false},{"digest":{"function_hash":"281745662143339069291279319188916354096","length":304},"source":"https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b","deprecated":false,"target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert_v2"},"signature_type":"Function","id":"CVE-2025-69420-c98920e1","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["201888226879888819651681590595522968327","55997044344403922093111884346552998173","4978588019549099552408349898016254549","176160634447836910802018056675653643760","129627066050902738130928955327242745830","329755338793737530275862164871587223473","38252633268232289492692485526011033030","55868587811027651874806109339695070292"]},"source":"https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b","deprecated":false,"target":{"file":"crypto/ts/ts_rsp_verify.c"},"signature_type":"Line","id":"CVE-2025-69420-d9f79c91","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["201888226879888819651681590595522968327","55997044344403922093111884346552998173","4978588019549099552408349898016254549","176160634447836910802018056675653643760","129627066050902738130928955327242745830","329755338793737530275862164871587223473","38252633268232289492692485526011033030","55868587811027651874806109339695070292"]},"source":"https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a","deprecated":false,"target":{"file":"crypto/ts/ts_rsp_verify.c"},"signature_type":"Line","id":"CVE-2025-69420-e03b5a47","signature_version":"v1"},{"digest":{"function_hash":"281745662143339069291279319188916354096","length":304},"source":"https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2025-69420-e61af670","target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert_v2"}},{"digest":{"function_hash":"278237621881370507895367925432790678808","length":302},"source":"https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9","deprecated":false,"target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert"},"signature_type":"Function","id":"CVE-2025-69420-e805be8c","signature_version":"v1"},{"digest":{"function_hash":"281745662143339069291279319188916354096","length":304},"source":"https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085","deprecated":false,"target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert_v2"},"signature_type":"Function","id":"CVE-2025-69420-e9b0c2d3","signature_version":"v1"},{"digest":{"function_hash":"278237621881370507895367925432790678808","length":302},"source":"https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2025-69420-e9cddd65","target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert"}},{"digest":{"function_hash":"281745662143339069291279319188916354096","length":304},"source":"https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e","target":{"file":"crypto/ts/ts_rsp_verify.c","function":"ossl_ess_get_signing_cert_v2"},"signature_version":"v1","id":"CVE-2025-69420-eda6ad8a","signature_type":"Function","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}