#VU116214 Covert Timing Channel in OpenSSL - CVE-2025-9231

Cybersecurity Help s.r.o.

Published: 2025-10-01

Vulnerability identifier: #VU116214

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-9231

CWE-ID: CWE-385

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to timing side-channel in SM2 signature computations on 64 bit ARM platforms. A remote attacker can recover the private key and decrypt data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.5.3

External links
https://openssl-library.org/news/secadv/20250930.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Meinberg LANTIME firmware update for third-party components

Fedora 41 update for openssl

Fedora 42 update for openssl

Debian update for openssl

FreeBSD update for OpenSSL

Ubuntu update for openssl

Multiple vulnerabilities in OpenSSL