A cursory examination of the vuln and fix for CVE-2025-9231 shows a few things. The bug was introduced by a Huawei engineer—or at least, a git user with a Huawei email address. The “speed optimization” that introduced the bug was “like 10%” of the code in the libcrypto file. The fix was basically to blow away the custom code.
“Midpoint passive key recovery and decryption” is generally considered to be the holy grail of a SIGINT capability. The placement by a Huawei engineer in a speed optimization provides an additional layer of cover; was it an honest mistake, did he do it on behalf of his employer, or was he on someone else’s payroll?
If you’re very scared of surveillance and are actually serious about avoiding it, you might run ARM hardware (to avoid Management Engine and other Intel/AMD shenanigans in the processor), and you might opt to use FOSS software (auditable by you, and audited by many competent people), with algorithms that were not developed in the US (like SM2). If someone worth attacking did exactly this, this would be a plausible way to turn passive observation of encrypted traffic into high quality SIGINT.
Interestingly enough, this may also parallel the “cryptographically relevant quantum computer” fears. If someone was collecting information at the midpoint on vulnerable systems but did not know about this bug, there might be a way for them to leverage it to decrypt stored communications. (If you can pull session keys from passive, you can decrypt sessions—though there might be issues imposed by PFS, you may not always get the whole thing, and network jitter might make passive timing attacks hard. But if this was a nation state, they would have aggressively tested this, and it would be relevant to whatever sensor they possess and whatever compute they could throw at the task.)
We don’t know if anyone important used that configuration, we don’t know if anyone was listening, and we don’t know if that engineer just got overzealous with optimization.
I hope you guys thought about the possibility of burning some nation state’s presumably very expensive and long-term operation (with the attendant interest you will generate) before you posted—and chose to go forward anyway.
If the discovery was from reviewing comments instead of reviewing code, that’s unfortunate and makes me less optimistic about the technology. A conspiracy theorist can always add complexity to keep a nefarious explanation alive. I don’t think that there’s any evidence of nefarious activity by that engineer so I hope he doesn’t suffer personally or professionally.
I stand by my analysis, this is the type of bug that would be useful to a nation state, assuming it is actually exploitable.
A cursory examination of the vuln and fix for CVE-2025-9231 shows a few things. The bug was introduced by a Huawei engineer—or at least, a git user with a Huawei email address. The “speed optimization” that introduced the bug was “like 10%” of the code in the
libcryptofile. The fix was basically to blow away the custom code.“Midpoint passive key recovery and decryption” is generally considered to be the holy grail of a SIGINT capability. The placement by a Huawei engineer in a speed optimization provides an additional layer of cover; was it an honest mistake, did he do it on behalf of his employer, or was he on someone else’s payroll?
If you’re very scared of surveillance and are actually serious about avoiding it, you might run ARM hardware (to avoid Management Engine and other Intel/AMD shenanigans in the processor), and you might opt to use FOSS software (auditable by you, and audited by many competent people), with algorithms that were not developed in the US (like SM2). If someone worth attacking did exactly this, this would be a plausible way to turn passive observation of encrypted traffic into high quality SIGINT.
Interestingly enough, this may also parallel the “cryptographically relevant quantum computer” fears. If someone was collecting information at the midpoint on vulnerable systems but did not know about this bug, there might be a way for them to leverage it to decrypt stored communications. (If you can pull session keys from passive, you can decrypt sessions—though there might be issues imposed by PFS, you may not always get the whole thing, and network jitter might make passive timing attacks hard. But if this was a nation state, they would have aggressively tested this, and it would be relevant to whatever sensor they possess and whatever compute they could throw at the task.)
We don’t know if anyone important used that configuration, we don’t know if anyone was listening, and we don’t know if that engineer just got overzealous with optimization.
I hope you guys thought about the possibility of burning some nation state’s presumably very expensive and long-term operation (with the attendant interest you will generate) before you posted—and chose to go forward anyway.
The commit for the bug’s introduction you’re alluding to is https://github.com/openssl/openssl/pull/20754, correct?
In that thread,
The Huawei engineer, Xu Yizhou, posts an important comment about the need to implement constant-time methods to avoid a side-channel.
An Australian OpenSSL reviewer, paulidale, replies that “[constant time] need not be done in this pull request”.
Two years later, the fix for CVE-2025-9231 introduces the constant time methods, originally recommended by Yizhou.
In my opinion, the most likely chain of true events is:
AISLE has a past PR/commit discussion scanning system, which asks LLMs for analysis
One of those scans noticed Yizhou’s unaddressed message, and thus discovered the CVE.
I believe there is no reason to cast claims of nerfious activity, from this particular Huawei engineer.
If the discovery was from reviewing comments instead of reviewing code, that’s unfortunate and makes me less optimistic about the technology. A conspiracy theorist can always add complexity to keep a nefarious explanation alive. I don’t think that there’s any evidence of nefarious activity by that engineer so I hope he doesn’t suffer personally or professionally.
I stand by my analysis, this is the type of bug that would be useful to a nation state, assuming it is actually exploitable.