CVE-2025-15468

Issue summary: If an application using the SSL_CIPHER_find() function in<br /> a QUIC protocol client or server receives an unknown cipher suite from<br /> the peer, a NULL dereference occurs.<br /> <br /> Impact summary: A NULL pointer dereference leads to abnormal termination of<br /> the running process causing Denial of Service.<br /> <br /> Some applications call SSL_CIPHER_find() from the client_hello_cb callback<br /> on the cipher ID received from the peer. If this is done with an SSL object<br /> implementing the QUIC protocol, NULL pointer dereference will happen if<br /> the examined cipher ID is unknown or unsupported.<br /> <br /> As it is not very common to call this function in applications using the QUIC <br /> protocol and the worst outcome is Denial of Service, the issue was assessed<br /> as Low severity.<br /> <br /> The vulnerable code was introduced in the 3.2 version with the addition<br /> of the QUIC protocol support.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue,<br /> as the QUIC implementation is outside the OpenSSL FIPS module boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.<br /> <br /> OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.