OpenSSL Release Announcement for 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd and 1.0.2zm

Sep 30, 2025

Release Announcement for OpenSSL Library 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.1.1zd and 1.0.2zm

The OpenSSL Project team announces the release of new versions of our open-source toolkit for SSL/TLS.

Changes and CVEs fixed in 3.5.4:

• CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
• CVE-2025-9231 - Fix Timing side-channel in SM2 algorithm on 64-bit ARM.
• CVE-2025-9232 - Fix Out-of-bounds read in HTTP client no_proxy handling.
• Reverted the synthesised OPENSSL_VERSION_NUMBER change for the release builds, as it broke some exiting applications that relied on the previous 3.x semantics, as documented in OpenSSL_version(3).

CVEs fixed in 3.4.3:

• CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
• CVE-2025-9231 - Fix Timing side-channel in SM2 algorithm on 64-bit ARM.
• CVE-2025-9232 - Fix Out-of-bounds read in HTTP client no_proxy handling.

CVEs fixed in 3.3.5:

• CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
• CVE-2025-9231 - Fix Timing side-channel in SM2 algorithm on 64-bit ARM.
• CVE-2025-9232 - Fix Out-of-bounds read in HTTP client no_proxy handling.

CVEs fixed in 3.2.6:

• CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
• CVE-2025-9231 - Fix Timing side-channel in SM2 algorithm on 64-bit ARM.
• CVE-2025-9232 - Fix Out-of-bounds read in HTTP client no_proxy handling.

CVEs fixed in 3.0.18:

• CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.
• CVE-2025-9232 - Fix Out-of-bounds read in HTTP client no_proxy handling.

CVEs fixed in 1.1.1zd: (premium support customers only)

• CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.

CVEs fixed in 1.0.2zm: (premium support customers only)

• CVE-2025-9230 - Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap.

All releases contain miscellaneous minor bug fixes. For details of the changes, refer to the release notes for versions 1.0.2, 1.1.1, 3.0, 3.2, 3.3, 3.4, and 3.5.

Specific notes on upgrading from previous versions are available in the OpenSSL Migration Guide.

OpenSSL Library 3.x is available for download at these URLs:

• https://www.openssl.org/source/
• https://github.com/openssl/openssl/releases

The distribution file names are for:

• OpenSSL Library 3.5.4 - openssl-3.5.4
• OpenSSL Library 3.4.3 - openssl-3.4.3
• OpenSSL Library 3.3.5 - openssl-3.3.5
• OpenSSL Library 3.2.6 - openssl-3.2.6
• OpenSSL Library 3.0.18 - openssl-3.0.18
• OpenSSL Library 1.1.1zd - openssl-1.1.1zd
• OpenSSL Library 1.0.2zm - openssl-1.0.2zm