CVE-2025-66199 | TLS 1.3 CompressedCertificate excessive memory allocation

Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Published: 2026-01-27 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2025-66199 is rated Low Risk (35.1/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.40%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-66199

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.06% 0.40% +0.34%
2 2026-02-02 0.02% 0.06% +0.04%
3 2026-01-28 0.02%

Full EPSS history (3 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-66199

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.9 3.1 MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
2.2 3.6 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2025-66199

OS Trackers for CVE-2025-66199

vendor priority summary link
alpine CVE-2025-66199: 1 source package rows (openssl); 59 state rows across 5 repos (3.20-main, 3.21-main, 3.22-main, 3.23-main, edge-main); fixed 5, open 54. https://security.alpinelinux.org/vuln/CVE-2025-66199
debian unimportant CVE-2025-66199 unimportant priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2025-66199
redhat low https://access.redhat.com/security/cve/CVE-2025-66199
suse medium CVE-2025-66199 severity moderate: SUSE including 307 source package names (16.3-1.20:libopenssl-3-fips-provider-3.5.0-160000.5.1, 16.3-1.20:libopenssl3-3.5.0-160000.5.1, …), 751 product×package rows across 91 product lines (Container suse/sles/16.0/toolbox, Image SL-Micro-Azure, … (91 product lines)): Known Not Affected 327, Known Affected 231, Fixed 186, First Fixed 7. https://www.suse.com/security/cve/CVE-2025-66199/
ubuntu low CVE-2025-66199 low priority: Ubuntu including 4 source packages (edk2, nodejs, openssl, openssl1.0), 32 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): not-affected 16, needs-triage 7, DNE 4, ignored 2, released 2, needed 1. https://ubuntu.com/security/CVE-2025-66199

Affected software / configurations for CVE-2025-66199

Vendor Product Version Raw CPE
openssl openssl >= 3.3.0, < 3.3.6 cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
openssl openssl >= 3.4.0, < 3.4.4 cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
openssl openssl >= 3.5.0, < 3.5.5 cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
openssl openssl >= 3.6.0, < 3.6.1 cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

References for CVE-2025-66199

cvelogic Threat Intelligence