CVE-2025-68160
Description
Issue summary: Writing large, newline-free data into a BIO chain using theline-buffering filter where the next BIO performs short writes can triggera heap-based out-of-bounds write.Impact summary: This out-of-bounds write can cause memory corruption whichtypically results in a crash, leading to Denial of Service for an application.The line-buffering BIO filter (BIO_f_linebuffer) is not used by default inTLS/SSL data paths. In OpenSSL command-line applications, it is typicallyonly pushed onto stdout/stderr on VMS systems. Third-party applications thatexplicitly use this filter with a BIO chain that can short-write and thatwrite large, newline-free data influenced by an attacker would be affected.However, the circumstances where this could happen are unlikely to be underattacker control, and BIO_f_linebuffer is unlikely to be handling non-curateddata controlled by an attacker. For that reason the issue was assessed asLow severity.The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,as the BIO implementation is outside the OpenSSL FIPS module boundary.OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
Risk Information
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple Vulnerabilities are affected in IBM MQ 9.3.5.1 | Windows |
| Multiple Vulnerabilities are affected in OpenSSL 3.4.3 | Windows |
| Multiple Vulnerabilities are affected in OpenSSL 3.5.4 | Windows |
| Multiple Vulnerabilities are affected in OpenSSL 3.6.0 | Windows |
| Multiple Vulnerabilities are affected in OpenSSL 3.0.18 | Windows |
| Multiple Vulnerabilities are affected in OpenSSL 3.3.5 | Windows |
| Vulnerabilities CVE-2025-68160,CVE-2025-69421,CVE-2026-22796 are affected in OpenSSL 1.0.2zn | Windows |
| Multiple Vulnerabilities are affected in OpenSSL 1.1.1ze | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (3.6.1) | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (x64) (3.6.1) | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light (3.6.1) | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light (x64) (3.6.1) | Windows |
| Multiple vulnerabilities are fixed in OpenSSL 3.5.5 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL 3.4.4 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL 3.3.6 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL 3.0.19 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.6.1 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.5.5 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.4.4 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.3.6 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x64) 3.0.19 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.6.1 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.5.5 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.4.4 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.3.6 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL (MSI)(x86) 3.0.19 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.1.0.33 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.2.0.40 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.3.0.36 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.4.0.17 | Windows |
| Multiple Vulnerabilities are affected in IBM MQ 9.4.5.0 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light 3.5.5 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light 3.4.4 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light 3.3.6 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light 3.0.19 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light (x64) 3.5.5 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light (x64) 3.4.4 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light (x64) 3.3.6 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Light (x64) 3.0.19 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library 3.6.1 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library 3.5.5 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library 3.4.4 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library 3.3.6 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library 3.0.19 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library x86 3.6.1 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library x86 3.5.5 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library x86 3.4.4 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library x86 3.3.6 | Windows |
| Multiple vulnerabilities are fixed in OpenSSL Library x86 3.0.19 | Windows |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355450 | OpenSSL (x64) (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234