CVE-2025-4432: Ring: some aes functions may panic when overflow checking is enabled in ring
Description
A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received.
Classification
CVE ID: CVE-2025-4432
Problem Types
Allocation of Resources Without Limits or ThrottlingAffected Products
Vendor: Red Hat
Product: Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat OpenShift Container Platform 4, Red Hat Satellite 6, Red Hat Trusted Artifact Signer, Red Hat Trusted Profile Analyzer
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.13% (probability of being exploited)
EPSS Percentile: 33.24% (scored less or equal to compared to others)
EPSS Date: 2025-06-07 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: true
References
https://nvd.nist.gov/vuln/detail/CVE-2025-4432https://access.redhat.com/security/cve/CVE-2025-4432
https://bugzilla.redhat.com/show_bug.cgi?id=2350655
https://github.com/briansmith/ring
https://github.com/briansmith/ring/blob/main/RELEASES.md#version-01712-2025-03-05
https://github.com/briansmith/ring/commit/ec2d3cf1d91f148c84e4806b4f0b3c98f6df3b38
https://github.com/briansmith/ring/pull/2447
https://rustsec.org/advisories/RUSTSEC-2025-0009.html