CVE-2025-66199 — ThreaTel

THREATEL Threat Intel

v0.1

CVE-2025-66199

MED 5.9

Published

2026-01-27

Last Modified

2026-02-02

Affected Apps

27

Affected Devices

166

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Affected Applications in Environment 27

openssl v3.0.13-0ubuntu3.7

openssl v1.1.1f-1ubuntu2.24

openssl v1:3.5.1-4.el9_7

openssl v1:3.2.2-6.el9_5.1

openssl v1.1.1w-0+deb11u4

openssl v3.0.2-0ubuntu1.21

openssl v1.1.1-1ubuntu2.1~18.04.23

openssl v1.1.1w-0+deb11u5

openssl v1:3.5.1-7.el9_7

openssl v3.5.4-1~deb13u1

openssl v1:1.0.2k-26.el7_9

openssl v1.0.2g-1ubuntu4.20

openssl v3.5.4-1~deb13u2

openssl v1:1.1.1k-14.el8_6

openssl v1:3.5.1-5.el9_7

openssl v1:1.1.1k-15.el8_10

openssl v1.0.1f-1ubuntu2.27

openssl v1.0.2g-1ubuntu4.20+esm14

openssl v1:1.1.1k-14.el8_10

openssl v1:1.1.1k-14.el8_10

openssl v1:3.5.1-7.el9_7

openssl v1.1.1n-0+deb10u6

openssl v1:3.2.2-6.0.1.el9_5.1

openssl v3.4.1-1ubuntu4

openssl v1:3.5.1-3.el9

openssl v1:3.5.1-7.el10_1

pyOpenSSL v0.13.1-4.el7

Affected Devices 166

2ua5171h8k Linux DPCOMPdemoserver Linux DPNCHA-194733 Linux acmedns Linux administrator-SYS-4029GP-TRT2 Linux aggietower Linux ah-ots Linux atc.db.usu.edu Linux auto-score Linux awep1 Linux bacha25 Linux bennett-HP-Z2-SFF-G4-Workstation Linux blakeutil Linux bloodhound Linux capahab Linux cceredcapdb Linux cceredcapweb Linux chela03 Linux chela04 Linux chela05 Linux cleanaddressdev.banner.usu.edu Linux csf Linux devjobsub.banner.usu.edu Linux dist Linux dpapsb-161390.aggies.usu.edu Linux dpapsb-191594.mypc.usu.edu Linux educweb Linux el103-02.ece.usu.edu Linux el103-03.ece.usu.edu Linux el103-04.ece.usu.edu Linux el103-05.ece.usu.edu Linux el103-07.ece.usu.edu Linux el103-08.ece.usu.edu Linux el103-09.ece.usu.edu Linux el103-10.ece.usu.edu Linux el103-14.ece.usu.edu Linux el103-15.ece.usu.edu Linux el103-16.ece.usu.edu Linux el103-17.ece.usu.edu Linux el103-18.ece.usu.edu Linux el103-19.ece.usu.edu Linux el103-20.ece.usu.edu Linux el120-01.ece.usu.edu Linux el120-02.ece.usu.edu Linux el120-03.ece.usu.edu Linux el120-04.ece.usu.edu Linux el120-05.ece.usu.edu Linux el120-06.ece.usu.edu Linux el120-08.ece.usu.edu Linux el120-09.ece.usu.edu Linux el120-10.ece.usu.edu Linux el120-11.ece.usu.edu Linux el120-12.ece.usu.edu Linux el120-14.ece.usu.edu Linux elend Linux emby Linux eprocdev.banner.usu.edu Linux ezidadmin Linux facreadyprod.pplant.usu.edu Linux facreadytestrhel.pplant.usu.edu Linux facshibsp2.pplant.usu.edu Linux flexnet Linux fw Linux gul4.usu.edu Linux guru.cluster Linux hackedpasswords Linux hotcheeto Linux infosec-grafana Linux intune-mcc1 Linux intune-mcc3 Linux itfinance Linux itls-wp Linux jed Linux joek-HP-Z2-SFF-G9-Workstation-Desktop-PC Linux kcm.usu.edu Linux kena-utility Linux kmlab Linux ldap-lb01 Linux ldap-lb02 Linux libki-server Linux log Linux mail Linux mail Linux miscdata Linux miscnet Linux monitor01 Linux monitor02 Linux my1 Linux my2 Linux mysql02 Linux nt Linux omekanew Linux oms.db.usu.edu Linux owenclarke-OptiPlex-7090 Linux paymentworksdev.banner.usu.edu Linux promnet Linux rcbd Linux rcdb-dev Linux redcapweb Linux s2backups Linux seaweed Linux second-thrifted-tractor Linux sectap1 Linux sentry Linux server1mathusuedu Linux server2math Linux solar Linux spencer-funk-HP-Z2-SFF-G5-Workstation Linux starfleetpad Linux storm Linux strat Linux svn.usu.edu Linux sympa.ser321.usu.edu Linux sys-serv-l-301-data Linux thinkstation Linux tsutil.it.usu.edu Linux vinmathusuedu Linux vrtour Linux web-lb-stage.usu.edu Linux web-lb01-redirect.usu.edu Linux web-lb01.usu.edu Linux web-lb02-redirect.usu.edu Linux web-lb02.usu.edu Linux web-lb03-redirect.usu.edu Linux web-lb03.usu.edu Linux web-lb04.usu.edu Linux web02.usu.edu Linux web03.usu.edu Linux web04a Linux web05 Linux web06 Linux web08.usu.edu Linux web09.usu.edu Linux web10 Linux web10-awhc Linux web10-awhc Linux web11.usu.edu Linux web12.usu.edu Linux web13.usu.edu Linux web14.usu.edu Linux web15.usu.edu Linux web16.usu.edu Linux web17 Linux web18 Linux web19.usu.edu Linux web20 Linux web21 Linux web22 Linux web23 Linux web24 Linux web25 Linux web27.usu.edu Linux web28 Linux web29.usu.edu Linux web30.usu.edu Linux web31.usu.edu Linux web32.usu.edu Linux web33.usu.edu Linux web34.usu.edu Linux web35.usu.edu Linux web36.usu.edu Linux web37.usu.edu Linux webs.usu.edu Linux webtools Linux wpad Linux zldtst.db.usu.edu Linux

References 5