Changes between 3.6.0 and 3.6.1 [27 Jan 2026]$$$Fixed Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.$$$$$$Severity: Moderate$$$$$$Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow; invalid pointer or NULL pointer dereference during MAC verification.$$$$$$Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations.$$$$$$Reported by: Stanislav Fort (Aisle Research) and Petr Šimecek (Aisle Research) and Hamza (Metadust)$$$$$$(CVE-2025-11187)$$$$$$Tomáš Mráz$$$$$$Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing.$$$$$$Severity: High$$$$$$Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow.$$$$$$Impact summary: A stack buffer overflow may lead to a crash; causing Denial of Service; or potentially remote code execution.$$$$$$Reported by: Stanislav Fort (Aisle Research)$$$$$$(CVE-2025-15467)$$$$$$Igor Ustinov$$$$$$Fixed NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.$$$$$$Severity: Low$$$$$$Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer; a NULL dereference occurs.$$$$$$Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service.$$$$$$Reported by: Stanislav Fort (Aisle Research)$$$$$$(CVE-2025-15468)$$$$$$Stanislav Fort$$$$$$Fixed openssl dgst one-shot codepath silently truncates inputs >16 MiB.$$$$$$Severity: Low$$$$$$Issue summary: The openssl dgst command-line tool silently truncates input data to 16 MiB when using one-shot signing algorithms and reports success instead of an error.$$$$$$Impact summary: A user signing or verifying files larger than 16 MiB with one-shot algorithms (such as Ed25519; Ed448; or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16 MiB remains unauthenticated.$$$$$$Reported by: Stanislav Fort (Aisle Research)$$$$$$(CVE-2025-15469)

Changes between 3.5 and 3.6.0 [1 Oct 2025]$$$Added support for EVP_SKEY opaque symmetric key objects to the key derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(); EVP_KDF_derive_SKEY(); and EVP_PKEY_derive_SKEY() functions.$$$$$$Added PCT for key import for SLH-DSA when in FIPS mode.$$$$$$Added i2d_PKCS8PrivateKey(3) API to complement i2d_PrivateKey(3); the former always outputs PKCS#8.$$$$$$Implemented interleaved AES-CBC+HMAC-SHA algorithm on AArch64.$$$$$$Added NIST security categories for PKEY objects.$$$$$$Added notification when all stream FINs are acknowledged in QUIC. Introduced ossl_quic_channel_notify_flush_done() so that once final FINs are ACKed; the channel transitions to terminating and SSL_poll() signals completion. This allows applications to progress shutdown reliably.$$$$$$Added array memory allocation routines and converted suitable memory allocation calls in the library to them.$$$$$$Fixed behavior change of EC keygen by adding the generic error entry if the provider did not itself add an error entry onto the queue. That way; there always is an error on the error queue in case of a failure; but no behavior change in case the provider emitted the error entry itself.$$$$$$Documented all the environment variables used across the project in openssl-env(7) and in specific man pages.$$$$$$Added SHA-2 assembly implementation enhancing performance for LoongArch. Added optimized SM3; MD5; SHA-256; SHA-512 implementation using Zbb extension for RISC-V.$$$$$$Added options CRYPTO_MEM_SEC and CRYPTO_MEM_SEC_MINSIZE to openssl app to initialize secure memory at the beginning of openssl app.$$$$$$Resolved compiler warnings on Win64 builds.$$$$$$Extended new CRYPTO_THREAD_[get|set]_local API to reduce the usage of OS thread-local variables.$$$$$$Added make targets build_inst_sw and build_inst_programs which have the functionality to split the build into two parts; e.g. when tests should be built with different compiler flags than the installed software.$$$$$$Refactored OSSL_PARAM name parsing so that automatically generated parsers are used instead of OSSL_PARAM_locate() calls. This should also ensure that the list of acceptable parameters better matches those which are actually processed. It should also provide a small performance improvement; because repeated iteration over passed parameter arrays is avoided.$$$$$$Introduced SSL_OP_SERVER_PREFERENCE; superseding misleadingly named SSL_OP_CIPHER_SERVER_PREFERENCE.$$$$$$Added LMS signature verification support as per SP 800-208. This support is present in both the FIPS and default providers.$$$$$$Introduced use of <stdbool.h> when handling JSON encoding in the OpenSSL codebase; replacing the previous use of int for these boolean values.$$$$$$An ANSI-C toolchain is no longer sufficient for building OpenSSL. The code should be built using compilers supporting C-99 features.$$$$$$Support for the VxWorks platforms has been removed. These platforms were unadopted; unmaintained and reported to be non-functional.$$$$$$Relaxed the path check in OpenSSLs file: scheme implementation for OSSL_STORE. Previously; when the file: scheme is an explicit part of the URI; our implementation required an absolute path; such as file:/path/to/file.pem. This requirement is now relaxed; allowing file:path/to/file.pem; as well as file:file.pem.$$$$$$Changed openssl-pkey(1) to match the documentation when private keys are output in DER format (-outform DER) by producing the PKCS#8 form by default. Previously; this would output the traditional form for those older key types (DSA; RSA; ECDSA) that had such a form. The -traditional flag has been extended to support explicit requests to output that format in DER format (it was previously PEM-only).$$$$$$Added an openssl configutl utility for processing the OpenSSL configuration file and dumping the equal configuration file.$$$$$$Added support for setting a free function thunk to OPENSSL_sk stack types. Using a thunk allows the type specific free function to be called with

Changes between 3.5 and 3.6.0 [1 Oct 2025]$$$Added support for EVP_SKEY opaque symmetric key objects to the key derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(); EVP_KDF_derive_SKEY(); and EVP_PKEY_derive_SKEY() functions.$$$$$$Added PCT for key import for SLH-DSA when in FIPS mode.$$$$$$Added i2d_PKCS8PrivateKey(3) API to complement i2d_PrivateKey(3); the former always outputs PKCS#8.$$$$$$Implemented interleaved AES-CBC+HMAC-SHA algorithm on AArch64.$$$$$$Added NIST security categories for PKEY objects.$$$$$$Added notification when all stream FINs are acknowledged in QUIC. Introduced ossl_quic_channel_notify_flush_done() so that once final FINs are ACKed; the channel transitions to terminating and SSL_poll() signals completion. This allows applications to progress shutdown reliably.$$$$$$Added array memory allocation routines and converted suitable memory allocation calls in the library to them.$$$$$$Fixed behavior change of EC keygen by adding the generic error entry if the provider did not itself add an error entry onto the queue. That way; there always is an error on the error queue in case of a failure; but no behavior change in case the provider emitted the error entry itself.$$$$$$Documented all the environment variables used across the project in openssl-env(7) and in specific man pages.$$$$$$Added SHA-2 assembly implementation enhancing performance for LoongArch. Added optimized SM3; MD5; SHA-256; SHA-512 implementation using Zbb extension for RISC-V.$$$$$$Added options CRYPTO_MEM_SEC and CRYPTO_MEM_SEC_MINSIZE to openssl app to initialize secure memory at the beginning of openssl app.$$$$$$Resolved compiler warnings on Win64 builds.$$$$$$Extended new CRYPTO_THREAD_[get|set]_local API to reduce the usage of OS thread-local variables.$$$$$$Added make targets build_inst_sw and build_inst_programs which have the functionality to split the build into two parts; e.g. when tests should be built with different compiler flags than the installed software.$$$$$$Refactored OSSL_PARAM name parsing so that automatically generated parsers are used instead of OSSL_PARAM_locate() calls. This should also ensure that the list of acceptable parameters better matches those which are actually processed. It should also provide a small performance improvement; because repeated iteration over passed parameter arrays is avoided.$$$$$$Introduced SSL_OP_SERVER_PREFERENCE; superseding misleadingly named SSL_OP_CIPHER_SERVER_PREFERENCE.$$$$$$Added LMS signature verification support as per SP 800-208. This support is present in both the FIPS and default providers.$$$$$$Introduced use of <stdbool.h> when handling JSON encoding in the OpenSSL codebase; replacing the previous use of int for these boolean values.$$$$$$An ANSI-C toolchain is no longer sufficient for building OpenSSL. The code should be built using compilers supporting C-99 features.$$$$$$Support for the VxWorks platforms has been removed. These platforms were unadopted; unmaintained and reported to be non-functional.$$$$$$Relaxed the path check in OpenSSLs file: scheme implementation for OSSL_STORE. Previously; when the file: scheme is an explicit part of the URI; our implementation required an absolute path; such as file:/path/to/file.pem. This requirement is now relaxed; allowing file:path/to/file.pem; as well as file:file.pem.$$$$$$Changed openssl-pkey(1) to match the documentation when private keys are output in DER format (-outform DER) by producing the PKCS#8 form by default. Previously; this would output the traditional form for those older key types (DSA; RSA; ECDSA) that had such a form. The -traditional flag has been extended to support explicit requests to output that format in DER format (it was previously PEM-only).$$$$$$Added an openssl configutl utility for processing the OpenSSL configuration file and dumping the equal configuration file.$$$$$$Added support for setting a free function thunk to OPENSSL_sk stack types. Using a thunk allows the type specific free function to be called with

Changes between 3.5 and 3.6.0 [1 Oct 2025]$$$Added support for EVP_SKEY opaque symmetric key objects to the key derivation and key exchange provider methods. Added EVP_KDF_CTX_set_SKEY(); EVP_KDF_derive_SKEY(); and EVP_PKEY_derive_SKEY() functions.$$$$$$Added PCT for key import for SLH-DSA when in FIPS mode.$$$$$$Added i2d_PKCS8PrivateKey(3) API to complement i2d_PrivateKey(3); the former always outputs PKCS#8.$$$$$$Implemented interleaved AES-CBC+HMAC-SHA algorithm on AArch64.$$$$$$Added NIST security categories for PKEY objects.$$$$$$Added notification when all stream FINs are acknowledged in QUIC. Introduced ossl_quic_channel_notify_flush_done() so that once final FINs are ACKed; the channel transitions to terminating and SSL_poll() signals completion. This allows applications to progress shutdown reliably.$$$$$$Added array memory allocation routines and converted suitable memory allocation calls in the library to them.$$$$$$Fixed behavior change of EC keygen by adding the generic error entry if the provider did not itself add an error entry onto the queue. That way; there always is an error on the error queue in case of a failure; but no behavior change in case the provider emitted the error entry itself.$$$$$$Documented all the environment variables used across the project in openssl-env(7) and in specific man pages.$$$$$$Added SHA-2 assembly implementation enhancing performance for LoongArch. Added optimized SM3; MD5; SHA-256; SHA-512 implementation using Zbb extension for RISC-V.$$$$$$Added options CRYPTO_MEM_SEC and CRYPTO_MEM_SEC_MINSIZE to openssl app to initialize secure memory at the beginning of openssl app.$$$$$$Resolved compiler warnings on Win64 builds.$$$$$$Extended new CRYPTO_THREAD_[get|set]_local API to reduce the usage of OS thread-local variables.$$$$$$Added make targets build_inst_sw and build_inst_programs which have the functionality to split the build into two parts; e.g. when tests should be built with different compiler flags than the installed software.$$$$$$Refactored OSSL_PARAM name parsing so that automatically generated parsers are used instead of OSSL_PARAM_locate() calls. This should also ensure that the list of acceptable parameters better matches those which are actually processed. It should also provide a small performance improvement; because repeated iteration over passed parameter arrays is avoided.$$$$$$Introduced SSL_OP_SERVER_PREFERENCE; superseding misleadingly named SSL_OP_CIPHER_SERVER_PREFERENCE.$$$$$$Added LMS signature verification support as per SP 800-208. This support is present in both the FIPS and default providers.$$$$$$Introduced use of <stdbool.h> when handling JSON encoding in the OpenSSL codebase; replacing the previous use of int for these boolean values.$$$$$$An ANSI-C toolchain is no longer sufficient for building OpenSSL. The code should be built using compilers supporting C-99 features.$$$$$$Support for the VxWorks platforms has been removed. These platforms were unadopted; unmaintained and reported to be non-functional.$$$$$$Relaxed the path check in OpenSSLs file: scheme implementation for OSSL_STORE. Previously; when the file: scheme is an explicit part of the URI; our implementation required an absolute path; such as file:/path/to/file.pem. This requirement is now relaxed; allowing file:path/to/file.pem; as well as file:file.pem.$$$$$$Changed openssl-pkey(1) to match the documentation when private keys are output in DER format (-outform DER) by producing the PKCS#8 form by default. Previously; this would output the traditional form for those older key types (DSA; RSA; ECDSA) that had such a form. The -traditional flag has been extended to support explicit requests to output that format in DER format (it was previously PEM-only).$$$$$$Added an openssl configutl utility for processing the OpenSSL configuration file and dumping the equal configuration file.$$$$$$Added support for setting a free function thunk to OPENSSL_sk stack types. Using a thunk allows the type specific free function to be called with

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys$$$$$$

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys$$$$$$

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys$$$$$$

Major changes between OpenSSL 3.3 and OpenSSL 3.4.0 [22 Oct 2024]$$$OpenSSL 3.4.0 is a feature release adding significant new functionality to OpenSSL.$$$$$$This release incorporates the following potentially significant or incompatible changes:$$$$$$Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement TS_VERIFY_CTX_set0_* functions with improved semantics$$$$$$Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that what were formerly build time locations can now be defined at run time with registry keys$$$$$$

Changes between 3.5.3 and 3.5.4 [30 Sep 2025]$$$Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap$$$$$$Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.$$$$$$Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.$$$$$$The issue was reported by Stanislav Fort (Aisle Research).$$$$$$(CVE-2025-9230)$$$$$$Viktor Dukhovni$$$$$$Fix Timing side-channel in SM2 algorithm on 64 bit ARM$$$$$$Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms.$$$$$$Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.$$$$$$The issue was reported by Stanislav Fort (Aisle Research).$$$$$$(CVE-2025-9231)