vulnerability
Arch Linux: Certificate verification bypass (CVE-2025-4575)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:N/C:N/I:P/A:P) | May 22, 2025 | Jul 11, 2025 | Jan 28, 2026 |
Severity
6
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
Published
May 22, 2025
Added
Jul 11, 2025
Modified
Jan 28, 2026
Description
Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate.
If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that use.
If, for example, a trusted CA certificate should be trusted only for the purpose of authenticating TLS servers but not for CMS signature verification and the CMS signature verification is intended to be marked as rejected with the -addreject option, the resulting CA certificate will be trusted for CMS signature verification purpose instead.
Only users which use the trusted certificate format who use the openssl x509 command line application to add rejected uses are affected by this issue.
If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that use.
If, for example, a trusted CA certificate should be trusted only for the purpose of authenticating TLS servers but not for CMS signature verification and the CMS signature verification is intended to be marked as rejected with the -addreject option, the resulting CA certificate will be trusted for CMS signature verification purpose instead.
Only users which use the trusted certificate format who use the openssl x509 command line application to add rejected uses are affected by this issue.
Solution
arch-linux-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.