CVE-2025-69420

Issue summary: A type confusion vulnerability exists in the TimeStamp Response<br /> verification code where an ASN1_TYPE union member is accessed without first<br /> validating the type, causing an invalid or NULL pointer dereference when<br /> processing a malformed TimeStamp Response file.<br /> <br /> Impact summary: An application calling TS_RESP_verify_response() with a<br /> malformed TimeStamp Response can be caused to dereference an invalid or<br /> NULL pointer when reading, resulting in a Denial of Service.<br /> <br /> The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()<br /> access the signing cert attribute value without validating its type.<br /> When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory<br /> through the ASN1_TYPE union, causing a crash.<br /> <br /> Exploiting this vulnerability requires an attacker to provide a malformed<br /> TimeStamp Response to an application that verifies timestamp responses. The<br /> TimeStamp protocol (RFC 3161) is not widely used and the impact of the<br /> exploit is just a Denial of Service. For these reasons the issue was<br /> assessed as Low severity.<br /> <br /> The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the TimeStamp Response implementation is outside the OpenSSL FIPS module<br /> boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br /> <br /> OpenSSL 1.0.2 is not affected by this issue.