CVE-2025-3416

NameCVE-2025-3416
DescriptionA flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1102137

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rust-openssl (PTS)bullseye0.10.29-1vulnerable
bullseye (security)0.10.29-1+deb11u1vulnerable
bookworm0.10.45-1vulnerable
sid, trixie0.10.72-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rust-opensslsource(unstable)0.10.72-11102137

Notes

[bookworm] - rust-openssl <no-dsa> (Minor issue)
https://rustsec.org/advisories/RUSTSEC-2025-0022.html
https://github.com/sfackler/rust-openssl/pull/2390
https://github.com/sfackler/rust-openssl/commit/87085bd67896b7f92e6de35d081f607a334beae4
Search for package or bug name: Reporting problems