OpenSSL Out-of-Bounds Read Vulnerability in AES-CFB128 on AVX-512 Systems

A vulnerability exists in OpenSSL applications using AES-CFB128 encryption or decryption on x86-64 systems with AVX-512 and VAES support. This issue can cause an out-of-bounds read of up to 15 bytes when processing partial cipher blocks, potentially leading to a crash and a denial-of-service condition for the application. The vulnerability arises because the partial-block pre-processing code unconditionally loads 16 bytes from the input buffer using unmasked AVX instructions, without verifying how many bytes are actually valid. This flaw can be exploited if the input buffer is aligned at a memory page boundary, with the next page unmapped. While the over-read bytes are not output, the resulting crash can occur if the input buffer ends on a page boundary and the following page is unmapped.

Impact

Exploitation of this vulnerability can cause a crash, leading to a denial-of-service condition for the affected application.

Reproduction

To reproduce this vulnerability, an application must be running on an x86-64 system with AVX-512 and VAES support. The vulnerability is triggered by processing partial cipher blocks with AES-CFB128. This can occur if a previous encryption or decryption call left an incomplete block, and the current call provides fewer bytes than needed to complete the block. Additionally, the input buffer must be positioned at a page boundary, with the following page unmapped.

Remediation

Users of OpenSSL 3.6 should upgrade to OpenSSL 3.6.2. The FIPS module in OpenSSL 3.6 is also affected and should be upgraded to version 3.6.2.