OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2025-9230 | Out-of-bounds read & write in RFC 3211 KEK Unwrap | Moderate | Not affected, impacted code was removed from BoringSSL in the initial fork |
| CVE-2025-9231 | Timing side-channel in SM2 algorithm on 64 bit ARM | Moderate | Not affected, issue was introduced after fork |
| CVE-2025-9232 | Out-of-bounds read in HTTP client no_proxy handling | Low | Not affected, issue was introduced after fork |