The OpenSSL developers have announced the release of several new versions of the open-source SSL/TLS toolkit that fix three vulnerabilities at once.
In OpenSSL versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm, and 1.1.1zd, the vulnerabilities CVE-2025-9230, CVE-2025-9231, and CVE-2025-9232 have been fixed.
Two of these issues are medium-severity vulnerabilities, while another one (CVE-2025-9231) allows an attacker to recover the private key. Since OpenSSL is used by numerous applications, websites, and services to secure communications, an attacker who obtains such a key would be able to decrypt encrypted traffic or perform a man-in-the-middle (MitM) attack.
However, the OpenSSL developers emphasize that CVE-2025-9231 affects only the SM2 algorithm implementation on 64-bit ARM platforms.
“OpenSSL does not natively support certificates with SM2 keys in TLS, so this vulnerability is not relevant in most TLS contexts,” the experts explain. “However, given the possibility of adding support for such certificates through a custom provider, and the fact that in this context the private key can be recovered via remote timing measurement, we assess this issue as a medium-severity vulnerability.”
In turn, CVE-2025-9230 is described as an out-of-bounds read/write issue that can be exploited to execute arbitrary code or for denial-of-service (DoS) attacks.
“Although the consequences of successful exploitation of this vulnerability may be serious, the likelihood that an attacker will be able to do so is very low,” the security bulletin says.
The third vulnerability, CVE-2025-9232, is of low severity and is reported to be exploitable to trigger application crashes, ultimately leading to denial-of-service (DoS).