Updated: 2026-02-04 04:59:48.850455
Description:
Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | NONE | 0.0 |
| CVSS Version 3.x | MEDIUM | 4.0 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | openssl | 3.0.7 | 4.0 | MEDIUM | Released | CLSA-2026:1770668132 | 2026-02-09 20:31:02 | |
| Alpine Linux 3.18 ELS | openssl | 3.1.8 | 4.0 | MEDIUM | Ignored | 2026-02-07 20:09:04 | This flaw only triggers when an application directly calls the low‑level CRYPTO_ocb128_{encrypt,de... | |
| CentOS 6 ELS | openssl | 1.0.1e | 4.0 | MEDIUM | Ignored | 2026-02-07 20:09:04 | This flaw only triggers when an application directly calls the low‑level CRYPTO_ocb128_{encrypt,de... | |
| CentOS 7 ELS | openssl | 1.0.2k | 4.0 | MEDIUM | Ignored | 2026-02-07 20:09:00 | This flaw only triggers when an application directly calls the low‑level CRYPTO_ocb128_{encrypt,de... | |
| CentOS 8.4 ELS | openssl | 1.1.1g | 4.0 | MEDIUM | Ignored | 2026-02-07 20:09:03 | This flaw only triggers when an application directly calls the low‑level CRYPTO_ocb128_{encrypt,de... | |
| CentOS 8.5 ELS | openssl | 1.1.1k | 4.0 | MEDIUM | Ignored | 2026-02-07 20:09:02 | This flaw only triggers when an application directly calls the low‑level CRYPTO_ocb128_{encrypt,de... | |
| CentOS Stream 8 ELS | openssl | 1.1.1k | 4.0 | MEDIUM | Ignored | 2026-02-07 20:09:03 | This flaw only triggers when an application directly calls the low‑level CRYPTO_ocb128_{encrypt,de... | |
| CloudLinux 7 ELS | openssl | 1.0.2k | 4.0 | MEDIUM | Ignored | 2026-02-07 20:09:00 | This flaw only triggers when an application directly calls the low‑level CRYPTO_ocb128_{encrypt,de... | |
| Debian 10 ELS | openssl | 1.1.1n | 4.0 | MEDIUM | Ignored | 2026-02-07 20:09:01 | This flaw only triggers when an application directly calls the low‑level CRYPTO_ocb128_{encrypt,de... | |
| Oracle Linux 6 ELS | openssl | 1.0.1e | 4.0 | MEDIUM | Ignored | 2026-02-07 20:09:03 | This flaw only triggers when an application directly calls the low‑level CRYPTO_ocb128_{encrypt,de... |