OpenSSL 3.6.1 has been released today as the first maintenance/security update to the latest OpenSSL 3.6 series of this widely used TLS/SSL and crypto library for providing secure communications over computer networks.
OpenSSL 3.6.1 is here to address several critical security vulnerabilities, including CVE-2025-11187, causing improper validation of PBMAC1 parameters in PKCS#12 MAC verification, CVE-2025-15467, a NULL dereference in the SSL_CIPHER_find() function on unknown cipher ID, and CVE-2025-15469, causing openssl dgst one-shot codepath to silently truncate inputs bigger than 16 MB.
This release also addresses CVE-2025-66199, fixing TLS 1.3 CompressedCertificate excessive memory allocation, CVE-2025-68160, a heap out-of-bounds write in BIO_f_linebuffer on short writes, CVE-2025-69418, causing unauthenticated/unencrypted trailing bytes with low-level OCB function calls, and CVE-2025-69419, an out-of-bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
On top of that, OpenSSL 3.6.1 addresses CVE-2025-69420, causing missing ASN1_TYPE validation in the TS_RESP_verify_response() function, CVE-2025-69421, a NULL Pointer Dereference in the PKCS12_item_decrypt_d2i_ex() function, CVE-2026-22795, causing missing ASN1_TYPE validation in PKCS#12 parsing, and CVE-2026-22796, a ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function.
Apart from these security fixes, the OpenSSL 3.6.1 release fixes a regression in the X509_V_FLAG_CRL_CHECK_ALL flag handling by restoring its pre-OpenSSL 3.6 behavior, as well as a regression in handling stapled OCSP responses, which caused handshake failures for OpenSSL 3.6 servers with various client implementations.
Also today, the OpenSSL project released OpenSSL 3.5.5, OpenSSL 3.4.4, OpenSSL 3.3.6, and OpenSSL 3.0.19 as security/bugfix point releases to the OpenSSL 3.5, OpenSSL 3.4, OpenSSL 3.3, and OpenSSL 3.0 series for those who still use these branches. Check out the project’s GitHub page for more details about the changes included in these updates.
OpenSSL 3.6 is the latest version of this cryptographic library, adding significant new functionality like NIST security categories for PKEY objects, support for EVP_SKEY opaque symmetric key objects, support for FIPS 186-5 deterministic ECDSA signature generation, LMS signature verification support, and an openssl configutl utility for processing the OpenSSL configuration file.
- Design
