{“lastseen”:””,”description”:”Issue summary: When using the low-level OCB API directly with AES-NI or\\u003cbr\\u003eother hardware-accelerated code paths, inputs whose length is not a multiple\\u003cbr\\u003eof 16 bytes can leave the final partial block unencrypted and unauthenticated.\\u003cbr\\u003e\\u003cbr\\u003eImpact summary: The trailing 1-15 bytes of a message may be exposed in\\u003cbr\\u003ecleartext on encryption and are not covered by the authentication tag,\\u003cbr\\u003eallowing an attacker to read or tamper with those bytes without detection.\\u003cbr\\u003e\\u003cbr\\u003eThe low-level OCB encrypt and decrypt routines in the hardware-accelerated\\u003cbr\\u003estream path process full 16-byte blocks but do not advance the input\/output\\u003cbr\\u003epointers. The subsequent tail-handling code then operates on the original\\u003cbr\\u003ebase pointers, effectively reprocessing the beginning of the buffer while\\u003cbr\\u003eleaving the actual trailing bytes unprocessed. The authentication checksum\\u003cbr\\u003ealso excludes the true tail bytes.\\u003cbr\\u003e\\u003cbr\\u003eHowever, typical OpenSSL consumers using EVP are not affected because the\\u003cbr\\u003ehigher-level EVP and provider OCB implementations split inputs so that full\\u003cbr\\u003eblocks and trailing partial blocks are processed in separate calls, avoiding\\u003cbr\\u003ethe problematic code path. Additionally, TLS does not use OCB ciphersuites.\\u003cbr\\u003eThe vulnerability only affects applications that call the low-level\\u003cbr\\u003eCRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with\\u003cbr\\u003enon-block-aligned lengths in a single call on hardware-accelerated builds.\\u003cbr\\u003eFor these reasons the issue was assessed as Low severity.\\u003cbr\\u003e\\u003cbr\\u003eThe FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected\\u003cbr\\u003eby this issue, as OCB mode is not a FIPS-approved algorithm.\\u003cbr\\u003e\\u003cbr\\u003eOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\\u003cbr\\u003e\\u003cbr\\u003eOpenSSL 1.0.2 is not affected by this issue.”,”published”:”2026-01-27T16:01:23.986Z”,”modified”:”2026-01-29T15:07:14.052Z”,”type”:”cve”,”title”:”Unauthenticated\/unencrypted trailing bytes with low-level OCB function calls”,”source”:”openssl”,”references”:”https:\/\/openssl-library.org\/news\/secadv\/20260127.txt\\nhttps:\/\/github.com\/openssl\/openssl\/commit\/ed40856d7d4ba6cb42779b6770666a65f19cb977\\nhttps:\/\/github.com\/openssl\/openssl\/commit\/4016975d4469cd6b94927c607f7c511385f928d8\\nhttps:\/\/github.com\/openssl\/openssl\/commit\/372fc5c77529695b05b4f5b5187691a57ef5dffc\\nhttps:\/\/github.com\/openssl\/openssl\/commit\/a7589230356d908c0eca4b969ec4f62106f4f5ae\\nhttps:\/\/github.com\/openssl\/openssl\/commit\/52d23c86a54adab5ee9f80e48b242b52c4cc2347″,”id”:”CVE-2025-69418″,”bulletinFamily”:””,”cwe”:[“CWE-325″],”cvelist”:null,”sourceData”:”OpenSSL OpenSSL 3.6.0\\nOpenSSL OpenSSL 3.5.0\\nOpenSSL OpenSSL 3.4.0\\nOpenSSL OpenSSL 3.3.0\\nOpenSSL OpenSSL 3.0.0\\nOpenSSL OpenSSL 1.1.1″,”sourceHref”:””,”cvss”:{“score”:4,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:L\/AC:H\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”OpenSSL”,”version”:”3.6.0″,”vendor”:”OpenSSL”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Issue summary: When using the low-level OCB API directly with AES-NI or\\u003cbr\\u003eother hardware-accelerated code paths, inputs whose length is not a multiple\\u003cbr\\u003eof 16 bytes can…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,135,12,21,13,7,11,5],"class_list":["post-38132","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-40","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n