CVE-2025-46638: Dell BSAFE SSL-J Resource Exhaustion DoS Vulnerability
Dell BSAFE SSL-J contains a resource exhaustion vulnerability that allows an unauthenticated attacker on the network to overwhelm the application by allocating unbounded resources without limits or throttling mechanisms. This causes a denial of service condition, rendering the service unavailable to legitimate users. No authentication is required to trigger the flaw, making it accessible to any remote attacker.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-770
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Dell BSAFE SSL-J contains an allocation of resources without limits or throttling vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to a Denial of Service (DoS).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-46638 is a resource exhaustion vulnerability (CWE-770) in Dell BSAFE SSL-J stemming from improper allocation of system resources without rate limiting or quota enforcement. The vulnerable code fails to implement throttling or upper bounds on resource consumption, permitting an unauthenticated remote attacker to trigger excessive allocation of memory, CPU, connections, or similar finite resources. Once exhausted, the service becomes unavailable. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network-based exploitation requiring no privileges or user interaction, with high availability impact.
Business impact
Organizations deploying Dell BSAFE SSL-J in production face service disruption risk. Affected SSL/TLS services may become unresponsive during an attack, interrupting encrypted communications and downstream applications that depend on certificate validation or cryptographic operations. Since no authentication is required, any internet-facing instance is at risk. Recovery typically requires service restart, incurring operational overhead and potential data-in-flight loss.
Affected systems
Dell BSAFE SSL-J is vulnerable. The vendor product list was not populated in the advisory, so confirm your specific version against Dell's security bulletin. BSAFE SSL-J is commonly embedded in enterprise applications requiring SSL/TLS functionality; audit all systems integrating this library.
Exploitability
Exploitability is straightforward: the attack vector is network-based, requires no credentials, no user interaction, and involves minimal complexity. An attacker can craft requests that trigger unbounded resource allocation from any network vantage point. No CVSS Environmental or Temporal score modifications are indicated, and the vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, though this does not indicate absence of real-world exploitation.
Remediation
Patch Dell BSAFE SSL-J to a patched version per Dell's security advisory. If immediate patching is not feasible, implement network-level mitigations: restrict inbound access to SSL/TLS ports via firewall rules, deploy rate limiting and connection throttling at the network perimeter, and consider Web Application Firewall (WAF) rules to detect and block malformed or repetitive requests. Monitor resource consumption metrics to detect anomalous allocation patterns.
Patch guidance
Consult Dell's official security bulletin for CVE-2025-46638 to identify the specific patched version for your deployment. Apply patches during a controlled maintenance window after validating in a test environment. Verify patch application by confirming the updated library version in your build artifacts and confirming service functionality post-deployment. Maintain inventory of all systems using BSAFE SSL-J to ensure comprehensive coverage.
Detection guidance
Monitor for spikes in resource utilization (memory, file descriptors, network connections) on systems running BSAFE SSL-J without corresponding legitimate traffic increases. Enable verbose logging on SSL/TLS services to identify patterns of rapid connection attempts, oversized payloads, or repeated error conditions. Set up alerting on service unavailability or restarts. Network-level detection is challenging without deep packet inspection; focus on behavioral anomalies and resource exhaustion signatures.
Why prioritize this
This vulnerability scores CVSS 7.5 (HIGH) due to remote network exploitability requiring no credentials and delivering high availability impact. Although not yet in the KEV catalog, the ease of exploitation and immediate business impact warrant priority remediation. Organizations should schedule patching within 2–4 weeks depending on asset criticality and operational risk tolerance.
Risk score, explained
CVSS 3.1 score of 7.5 reflects: Attack Vector = Network (AV:N), meaning any internet-facing instance is at risk; Attack Complexity = Low (AC:L), indicating straightforward exploitation; Privileges Required = None (PR:N) and User Interaction = None (UI:N), removing friction; Scope = Unchanged (S:U); Confidentiality and Integrity = None (C:N, I:N); Availability = High (A:H) due to denial of service. The score does not account for prevalence or active exploitation; verify threat intelligence feeds for real-world activity.
Frequently asked questions
What is BSAFE SSL-J and who uses it?
BSAFE SSL-J is Dell's SSL/TLS cryptographic library used in enterprise applications, middleware, and appliances requiring secure communications. Check your software bill of materials (SBOM) or vendor documentation to determine if your applications link against or embed this library.
Can this vulnerability be exploited over encrypted connections?
Yes. Since the vulnerability is in the SSL/TLS library itself, exploitation can occur during the TLS handshake or early in the connection lifecycle, before authentication occurs. The attacker does not need to have already-established trust.
What is the difference between this vulnerability and other DoS attacks?
This is a resource exhaustion DoS, not a network-flooding attack. The attacker exploits a code flaw that causes uncontrolled resource allocation, making it more efficient and harder to defend against via simple rate limiting alone. Patching the library is the definitive remediation.
Why is this vulnerability not in the CISA KEV catalog yet?
The KEV catalog includes only vulnerabilities with confirmed evidence of active exploitation in the wild. Absence from KEV does not mean the vulnerability is less severe or will not be exploited; it simply reflects current threat intelligence. Monitor vendor advisories and threat feeds for updates.
This analysis is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Security teams must independently verify all patch versions, affected product lists, and deployment impacts against official vendor advisories and internal system inventories. Threat intelligence and KEV status are subject to change; consult authoritative sources for the latest updates. Always test patches in non-production environments before broad deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-28299HIGHSolarWinds Web Help Desk Denial-of-Service Vulnerability – CVSS 8.2
- CVE-2026-34077HIGHReact Router XSS in RSC Redirect Handling – Patch Guidance
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk