CVE-2025-9230

Issue summary: An application trying to decrypt CMS messages encrypted using<br /> password based encryption can trigger an out-of-bounds read and write.<br /> <br /> Impact summary: This out-of-bounds read may trigger a crash which leads to<br /> Denial of Service for an application. The out-of-bounds write can cause<br /> a memory corruption which can have various consequences including<br /> a Denial of Service or Execution of attacker-supplied code.<br /> <br /> Although the consequences of a successful exploit of this vulnerability<br /> could be severe, the probability that the attacker would be able to<br /> perform it is low. Besides, password based (PWRI) encryption support in CMS<br /> messages is very rarely used. For that reason the issue was assessed as<br /> Moderate severity according to our Security Policy.<br /> <br /> The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this<br /> issue, as the CMS implementation is outside the OpenSSL FIPS module<br /> boundary.