What is the CVSS score of CVE-2025-46638?

CVE-2025-46638 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Dell BSAFE SSL-J are affected by CVE-2025-46638?

Dell BSAFE SSL-J, a security library widely deployed across enterprise infrastructure, contains an unauthenticated denial-of-service vulnerability allowing remote attackers to disable dependent…. A patch is available.

How to fix or mitigate CVE-2025-46638?

24 hours: Conduct asset discovery to identify all systems, applications, and third-party products embedding Dell BSAFE SSL-J; document inventory in the CMDB. 7 days: Deploy rate limiting and request throttling on network-facing systems using the vulnerable library; enable resource quotas on application processes and configure alerting for anomalous resource consumption patterns. 30 days: Establish continuous monitoring of vendor security advisories and communications for patch availability; develop and validate patch deployment procedures to enable rapid deployment within 48 hours of release.

Dell BSAFE SSL-J CVE-2025-46638

EUVD-2025-210066 HIGH

Allocation of Resources Without Limits or Throttling (CWE-770)

2026-06-04 dell

GHSA-wfr4-8j34-xj5h

Denial Of Service Dell

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch available

Jun 04, 2026 - 15:01 EUVD

Analysis Generated

Jun 04, 2026 - 14:15 vuln.today

DescriptionNVD

Dell BSAFE SSL-J contains an allocation of resources without limits or throttling vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to a Denial of Service (DoS).

AnalysisAI

Denial of service in Dell BSAFE SSL-J allows unauthenticated remote attackers to exhaust resources on systems using the cryptographic library, rendering affected services unavailable. The flaw stems from CWE-770 (allocation of resources without limits or throttling) and carries a CVSS 7.5 score reflecting network-reachable, no-privilege exploitation with high availability impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Dell BSAFE SSL-J is a Java-based TLS/SSL toolkit derived from the legacy RSA BSAFE cryptographic library, widely embedded in enterprise Java applications, middleware, and Dell products to provide FIPS-validated SSL/TLS connectivity. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling), a class of weakness where a component accepts attacker-influenced input that triggers unbounded memory, CPU, thread, or connection-state allocation; in TLS stacks this typically manifests during handshake parsing, session/state management, or buffer allocation prior to authentication. Per the CPE (cpe:2.3:a:dell:bsafe_ssl-j) the affected component is the application library itself rather than a specific Dell appliance, meaning impact propagates to any downstream product or in-house Java service that links the vulnerable SSL-J version.

RemediationAI

Patch available per vendor advisory - upgrade Dell BSAFE SSL-J to the fixed release identified in Dell DSA-2025-432 (https://www.dell.com/support/kbdoc/en-us/000398976/dsa-2025-432-security-update-for-dell-bsafe-ssl-j-vulnerability); the exact patched version is not enumerated in the provided data, so retrieve it directly from the advisory and update both standalone deployments and any bundled Dell products that ship SSL-J. As a compensating control until patching completes, place TLS endpoints that use SSL-J behind a hardened reverse proxy or load balancer that enforces connection rate limits, handshake timeouts, and per-source-IP throttling so resource-exhaustion traffic is absorbed upstream - trade-off is added latency and operational complexity, plus the proxy must terminate TLS to be effective. Where feasible, restrict network exposure of SSL-J-fronted services to known client ranges via firewall ACLs and monitor for abnormal volumes of incomplete or stalled TLS handshakes as an early indicator of exploitation attempts.