Alpine: libcrypto3, multiple openssl packages: security update to 3.0.19-r0

high Tenable Self-Hosted Container Security Plugin ID 437636

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the
PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash
which leads to Denial of Service for an application processing PKCS#12 files. The
PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before
dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter
can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to
achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a
malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low
severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected
by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6,
3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. (CVE-2025-69421)

- Issue summary: A timing side-channel which could potentially allow recovering the private key exists in
the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring the timing would require either
local access to the signing application or a very fast network connection with low latency. There is a
timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This
can happen with significant probability only for some of the supported elliptic curves. In particular the
NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located
in the same physical computer or must have a very fast network connection with low latency. For that
reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are
affected by this issue. (CVE-2024-13176)

- Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can
trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which
leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which
can have various consequences including a Denial of Service or Execution of attacker-supplied code.
Although the consequences of a successful exploit of this vulnerability could be severe, the probability
that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in
CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to
our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue,
as the CMS implementation is outside the OpenSSL FIPS module boundary. (CVE-2025-9230)

- Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds
read if the 'no_proxy' environment variable is set and the host portion of the authority component of the
HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to
Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by
applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol)
client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be
controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash.
Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the
OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned
reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch
releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and
3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module
boundary. (CVE-2025-9232)

- Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD
parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a
crash, causing Denial of Service, or potentially remote code execution. When parsing CMS
(Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector)
encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length
fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-
based out-of-bounds write before any authentication or tag verification occurs. Applications and services
that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-
GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is
required to trigger it. While exploitability to remote code execution depends on platform and toolchain
mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4,
3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not
affected by this issue. (CVE-2025-15467)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-13176

https://security.alpinelinux.org/vuln/CVE-2025-15467

https://security.alpinelinux.org/vuln/CVE-2025-68160

https://security.alpinelinux.org/vuln/CVE-2025-69418

https://security.alpinelinux.org/vuln/CVE-2025-69419

https://security.alpinelinux.org/vuln/CVE-2025-69420

https://security.alpinelinux.org/vuln/CVE-2025-69421

https://security.alpinelinux.org/vuln/CVE-2025-9230

https://security.alpinelinux.org/vuln/CVE-2025-9232

https://security.alpinelinux.org/vuln/CVE-2026-22795

https://security.alpinelinux.org/vuln/CVE-2026-22796

Plugin Details

Severity: High

ID: 437636

Version: Revision 1.9

Type: Local

Published: 2/8/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.9

Percentile: 99.36

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-69421

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/9/2024

Reference Information

CVE: CVE-2024-13176, CVE-2025-15467, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2025-9230, CVE-2025-9232, CVE-2026-22795, CVE-2026-22796

IAVA: 2025-A-0127-S, 2025-A-0716-S, 2026-A-0087