OpenSSL Missing Cryptographic Step Vulnerability - CVE-2025-69418

Issue summary: When using the low-level OCB API directly with AES-NI orltbrgtother hardware-accelerated code paths inputs whose length is not a multipleltbrgtof 16 bytes can leave the final partial block unencrypted and unauthenticated.ltbrgtltbrgtImpact summary: The trailing 1-15 bytes of a message may be exposed inltbrgtcleartext on encryption and are not covered by the authentication tagltbrgtallowing an attacker to read or tamper with those bytes without detection.ltbrgtltbrgtThe low-level OCB encrypt and decrypt routines in the hardware-acceleratedltbrgtstream path process full 16-byte blocks but do not advance the input/outputltbrgtpointers. The subsequent tail-handling code then operates on the originalltbrgtbase pointers effectively reprocessing the beginning of the buffer whileltbrgtleaving the actual trailing bytes unprocessed. The authentication checksumltbrgtalso excludes the true tail bytes.ltbrgtltbrgtHowever typical OpenSSL consumers using EVP are not affected because theltbrgthigher-level EVP and provider OCB implementations split inputs so that fullltbrgtblocks and trailing partial blocks are processed in separate calls avoidingltbrgtthe problematic code path. Additionally TLS does not use OCB ciphersuites.ltbrgtThe vulnerability only affects applications that call the low-levelltbrgtCRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly withltbrgtnon-block-aligned lengths in a single call on hardware-accelerated builds.ltbrgtFor these reasons the issue was assessed as Low severity.ltbrgtltbrgtThe FIPS modules in 3.6 3.5 3.4 3.3 3.2 3.1 and 3.0 are not affectedltbrgtby this issue as OCB mode is not a FIPS-approved algorithm.ltbrgtltbrgtOpenSSL 3.6 3.5 3.4 3.3 3.0 and 1.1.1 are vulnerable to this issue.ltbrgtltbrgtOpenSSL 1.0.2 is not affected by this issue.