Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

OpenSSL QUIC SSL_CIPHER_find() NULL Dereference on Unknown Cipher ID

IdentifiersCVE-2025-15468CWE-476· NULL Pointer Dereference

CVE-2025-15468 is a NULL pointer dereference vulnerability in OpenSSL's handling of QUIC cipher lookup. If an application using a QUIC protocol client or server calls SSL_CIPHER_find() on a cipher suite ID received from a peer, and that cipher ID is unknown or unsupported, the call can dereference a NULL pointer and terminate the process. The issue is specifically described in applications that invoke SSL_CIPHER_find() from the client_hello_cb callback while operating on an SSL object implementing QUIC. The vulnerable code path was introduced in OpenSSL 3.2 with the addition of QUIC support. Affected versions are OpenSSL 3.3, 3.4, 3.5, and 3.6; OpenSSL 3.0, 1.1.1, and 1.0.2 are not affected. The OpenSSL FIPS modules for 3.3 through 3.6 are not affected because the QUIC implementation is outside the FIPS module boundary.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes abnormal termination of the affected application process due to a NULL pointer dereference, resulting in Denial of Service. The available content does not indicate confidentiality, integrity, or code execution impact for this CVE; the stated worst-case outcome is process crash/DoS.

Mitigation

If you can’t patch tonight, do this now.

Avoid calling SSL_CIPHER_find() on peer-supplied cipher suite IDs in QUIC contexts unless the value has been validated as known and supported. In particular, applications using client_hello_cb with QUIC SSL objects should defensively reject or safely handle unknown cipher IDs before invoking SSL_CIPHER_find(). Where operationally feasible, disable or avoid the affected QUIC callback usage pattern until patched OpenSSL versions are deployed.

Remediation

Patch, then assume compromise.

Upgrade OpenSSL to a fixed release: 3.6.1, 3.5.5, 3.4.4, or 3.3.6, depending on the deployed branch. Downstream vendors should also apply their corresponding patched packages or firmware releases that incorporate these OpenSSL fixes.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FreebsdFreebsdapplication
OpenSSL Software FoundationOpensslapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

32 SOURCESView more in app
help net securityNews
Mar 2, 2026
IPFire ships its 200th core update with a new domain blocklist and kernel upgrade - Help Net Security

An OpenSSL vulnerability patched by upgrading to OpenSSL 3.6.1 in IPFire Core Update 200.

Read more
f5News
Mar 2, 2026
Weekly Threat Bulletin - February 4th, 2026 | F5 Labs

Unknown (listed among related OpenSSL CVEs, but not described in the content).

Read more
cyber security newsNews
Jan 28, 2026
OpenSSL Vulnerabilities Allow Remote Attackers to Execute Malicious Code

Low-severity OpenSSL null pointer dereference in QUIC cipher lookup, likely causing denial of service in QUIC-related code paths.

Read more
alpinelinuxNews
Jan 27, 2026
Alpine 3.20.9, 3.21.6, 3.22.3 and 3.23.3 released | Alpine Linux

An OpenSSL vulnerability addressed in Alpine Linux stable releases 3.20.9, 3.21.6, 3.22.3, and 3.23.3.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-15468
NVD
nvd.nist.gov/vuln/detail/CVE-2025-15468
MITRE CWE · CWE-476
NULL Pointer Dereference
Patch
github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65
Patch
github.com/openssl/openssl/commit/7c88376731c589ee5b36116c5a6e32d5ae5f7ae2
Patch
github.com/openssl/openssl/commit/b2539639400288a4580fe2d76247541b976bade4
Patch
github.com/openssl/openssl/commit/d75b309879631d45b972396ce4e5102559c64ac7
Vendor Advisory
openssl-library.org/news/secadv/20260127.txt