Issue summary: When using the low-level OCB API directly with AES-NI orother hardware-accelerated code paths, inputs whose length is not a multipleof 16 bytes can leave the final partial block unencrypted and unauthenticated.Impact summary: The trailing 1-15 bytes of a message may be exposed incleartext on encryption and are not covered by the authentication tag,allowing an attacker to read or tamper with those bytes without detection.The low-level OCB encrypt and decrypt routines in the hardware-acceleratedstream path process full 16-byte blocks but do not advance the input/outputpointers. The subsequent tail-handling code then operates on the originalbase pointers, effectively reprocessing the beginning of the buffer whileleaving the actual trailing bytes unprocessed. The authentication checksumalso excludes the true tail bytes.However, typical OpenSSL consumers using EVP are not affected because thehigher-level EVP and provider OCB implementations split inputs so that fullblocks and trailing partial blocks are processed in separate calls, avoidingthe problematic code path. Additionally, TLS does not use OCB ciphersuites.The vulnerability only affects applications that call the low-levelCRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly withnon-block-aligned lengths in a single call on hardware-accelerated builds.For these reasons the issue was assessed as Low severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affectedby this issue, as OCB mode is not a FIPS-approved algorithm.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.OpenSSL 1.0.2 is not affected by this issue.
Weakness
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | RedHat | openssl-1:3.5.1-7.el10_1 | * |
| Red Hat Enterprise Linux 9 | RedHat | openssl-1:3.5.1-7.el9_7 | * |
| Red Hat Enterprise Linux 9 | RedHat | openssl-1:3.5.1-7.el9_7 | * |
| Edk2 | Ubuntu | plucky | * |
| Nodejs | Ubuntu | esm-apps/jammy | * |
| Nodejs | Ubuntu | jammy | * |
| Openssl | Ubuntu | devel | * |
| Openssl | Ubuntu | esm-infra/bionic | * |
| Openssl | Ubuntu | esm-infra/focal | * |
| Openssl | Ubuntu | fips-preview/jammy | * |
| Openssl | Ubuntu | fips-updates/bionic | * |
| Openssl | Ubuntu | fips-updates/focal | * |
| Openssl | Ubuntu | fips-updates/jammy | * |
| Openssl | Ubuntu | fips/bionic | * |
| Openssl | Ubuntu | fips/focal | * |
| Openssl | Ubuntu | jammy | * |
| Openssl | Ubuntu | noble | * |
| Openssl | Ubuntu | plucky | * |
| Openssl | Ubuntu | questing | * |
| Openssl | Ubuntu | upstream | * |
Related Attack Patterns
References
- https://github.com/openssl/openssl/commit/372fc5c77529695b05b4f5b5187691a57ef5dffc
- https://github.com/openssl/openssl/commit/4016975d4469cd6b94927c607f7c511385f928d8
- https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347
- https://github.com/openssl/openssl/commit/a7589230356d908c0eca4b969ec4f62106f4f5ae
- https://github.com/openssl/openssl/commit/ed40856d7d4ba6cb42779b6770666a65f19cb977
- https://openssl-library.org/news/secadv/20260127.txt