OpenSSL patched 12 vulnerabilities on January 27, 2026, together with one high-severity flaw that might result in distant code execution. Most points trigger denial-of-service assaults however spotlight dangers in parsing untrusted knowledge.
Essentially the most critical concern, CVE-2025-15467, hits CMS AuthEnvelopedData parsing with AEAD ciphers like AES-GCM. Attackers craft outsized IVs in ASN.1 parameters, inflicting stack overflows earlier than authentication checks. This results in crashes or potential distant code execution on apps dealing with untrusted CMS or PKCS#7 knowledge, corresponding to S/MIME.
Apps parsing distant CMS content material face excessive threat since no secret’s wanted to set off the overflow. Exploitability is determined by platform defenses like ASLR, however the stack write primitive poses extreme hazard. OpenSSL rated it Excessive severity.
CVE-2025-11187 includes improper PBMAC1 validation in PKCS#12 recordsdata, resulting in stack overflows or null dereferences in variations 3.6 to three.4. Malicious recordsdata set off buffer overflows throughout key derivation if keylength exceeds 64 bytes.
A number of low-severity points like CVE-2025-69419, CVE-2025-69421, and CVE-2026-22795 additionally hit PKCS#12 dealing with, inflicting out-of-bounds writes or null derefs.
CVE IDSeverityBrief ImpactAffected VersionsPatched VersionsCVE-2025-11187ModerateStack overflow in PKCS#12 MAC3.6, 3.5, 3.43.6.1, 3.5.5, 3.4.4 CVE-2025-15467HighStack overflow in CMS parsing3.6-3.03.6.1, 3.5.5, 3.4.4, 3.3.6, 3.0.19 CVE-2025-15468LowNull deref in QUIC cipher lookup3.6, 3.5, 3.4, 3.33.6.1, 3.5.5, 3.4.4, 3.3.6 CVE-2025-15469Lowdgst device truncates massive inputs3.6, 3.53.6.1, 3.5.5 CVE-2025-66199LowTLS 1.3 cert compression DoS3.6, 3.5, 3.4, 3.33.6.1, 3.5.5, 3.4.4, 3.3.6 CVE-2025-68160LowHeap OOB write in BIO linebuffer3.6-3.0, 1.1.1, 1.0.23.6.1-3.0.19, 1.1.1ze, 1.0.2zn CVE-2025-69418LowOCB tail bytes unencrypted3.6-3.0, 1.1.13.6.1-3.0.19, 1.1.1ze CVE-2025-69419LowOOB write in PKCS12 friendlyname3.6-3.0, 1.1.13.6.1-3.0.19, 1.1.1ze CVE-2025-69420LowNull deref in timestamp verify3.6-3.0, 1.1.13.6.1-3.0.19, 1.1.1ze CVE-2025-69421LowNull deref in PKCS12 decrypt3.6-3.0, 1.1.1, 1.0.23.6.1-3.0.19, 1.1.1ze, 1.0.2zn CVE-2026-22795LowType confusion in PKCS#123.6-3.0, 1.1.13.6.1-3.0.19, 1.1.1ze CVE-2026-22796LowType confusion in PKCS7 digest3.6-3.0, 1.1.1, 1.0.23.6.1-3.0.19, 1.1.1ze, 1.0.2zn
These hit parsing untrusted PKCS#12, PKCS#7, timestamps, or area of interest APIs. Most want crafted inputs, limiting distant exploits to particular setups, reads the advisory.
Vulnerabilities span OpenSSL 3.6 to 1.0.2, excluding older branches with out options like PBMAC1 or QUIC. FIPS modules keep protected because the affected code sits exterior boundaries.
VersionVulnerable CVEsFixed Version3.6All besides 1.0.2-specific3.6.1 3.5Most3.5.5 3.4Most3.4.43.3Several3.3.63.0CMS, BIO, and so forth.3.0.191.1.1BIO, OCB, PKCS#121.1.1ze (premium) 1.0.2BIO, PKCS#71.0.2zn (premium)
Aisle Analysis discovered practically all flaws, with Stanislav Fort reporting probably the most. Others credit score Luigino Camastra, Petr Šimeček, Tomas Dulka, and Hamza (Metadust). Fixes by Tomas Mraz, Igor Ustinov, and so forth.
Mitigation Steps
Improve instantly: 3.6.1, 3.5.5, and so forth. Keep away from untrusted PKCS#12/CMS inputs; validate file sizes. For TLS 1.3 compression, set SSL_OP_NO_RX_CERTIFICATE_COMPRESSION. Servers parsing S/MIME or timestamps ought to patch first because of distant dangers.
OpenSSL powers net servers, VPNs, and crypto instruments worldwide. Fast updates forestall DoS or worse in manufacturing. Test dependencies by way of package deal managers.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
