OpenSSL patched 12 vulnerabilities on January 27, 2026, including one high-severity flaw that could lead to remote code execution. Most issues cause denial-of-service attacks but highlight risks in parsing untrusted data.
The most serious issue, CVE-2025-15467, hits CMS AuthEnvelopedData parsing with AEAD ciphers like AES-GCM. Attackers craft oversized IVs in ASN.1 parameters, causing stack overflows before authentication checks. This leads to crashes or potential remote code execution on apps handling untrusted CMS or PKCS#7 data, such as S/MIME.
Apps parsing remote CMS content face high risk since no key is needed to trigger the overflow. Exploitability depends on platform defenses like ASLR, but the stack write primitive poses severe danger. OpenSSL rated it High severity.
CVE-2025-11187 involves improper PBMAC1 validation in PKCS#12 files, leading to stack overflows or null dereferences in versions 3.6 to 3.4. Malicious files trigger buffer overflows during key derivation if keylength exceeds 64 bytes.
Several low-severity issues like CVE-2025-69419, CVE-2025-69421, and CVE-2026-22795 also hit PKCS#12 handling, causing out-of-bounds writes or null derefs.
CVE IDSeverityBrief ImpactAffected VersionsPatched VersionsCVE-2025-11187ModerateStack overflow in PKCS#12 MAC3.6, 3.5, 3.43.6.1, 3.5.5, 3.4.4 CVE-2025-15467HighStack overflow in CMS parsing3.6-3.03.6.1, 3.5.5, 3.4.4, 3.3.6, 3.0.19 CVE-2025-15468LowNull deref in QUIC cipher lookup3.6, 3.5, 3.4, 3.33.6.1, 3.5.5, 3.4.4, 3.3.6 CVE-2025-15469Lowdgst tool truncates large inputs3.6, 3.53.6.1, 3.5.5 CVE-2025-66199LowTLS 1.3 cert compression DoS3.6, 3.5, 3.4, 3.33.6.1, 3.5.5, 3.4.4, 3.3.6 CVE-2025-68160LowHeap OOB write in BIO linebuffer3.6-3.0, 1.1.1, 1.0.23.6.1-3.0.19, 1.1.1ze, 1.0.2zn CVE-2025-69418LowOCB tail bytes unencrypted3.6-3.0, 1.1.13.6.1-3.0.19, 1.1.1ze CVE-2025-69419LowOOB write in PKCS12 friendlyname3.6-3.0, 1.1.13.6.1-3.0.19, 1.1.1ze CVE-2025-69420LowNull deref in timestamp verify3.6-3.0, 1.1.13.6.1-3.0.19, 1.1.1ze CVE-2025-69421LowNull deref in PKCS12 decrypt3.6-3.0, 1.1.1, 1.0.23.6.1-3.0.19, 1.1.1ze, 1.0.2zn CVE-2026-22795LowType confusion in PKCS#123.6-3.0, 1.1.13.6.1-3.0.19, 1.1.1ze CVE-2026-22796LowType confusion in PKCS7 digest3.6-3.0, 1.1.1, 1.0.23.6.1-3.0.19, 1.1.1ze, 1.0.2zn
These hit parsing untrusted PKCS#12, PKCS#7, timestamps, or niche APIs. Most need crafted inputs, limiting remote exploits to specific setups, reads the advisory.
Vulnerabilities span OpenSSL 3.6 to 1.0.2, excluding older branches without features like PBMAC1 or QUIC. FIPS modules stay safe as the affected code sits outside boundaries.
VersionVulnerable CVEsFixed Version3.6All except 1.0.2-specific3.6.1 3.5Most3.5.5 3.4Most3.4.43.3Several3.3.63.0CMS, BIO, etc.3.0.191.1.1BIO, OCB, PKCS#121.1.1ze (premium) 1.0.2BIO, PKCS#71.0.2zn (premium)
Aisle Research found nearly all flaws, with Stanislav Fort reporting the most. Others credit Luigino Camastra, Petr Šimeček, Tomas Dulka, and Hamza (Metadust). Fixes by Tomas Mraz, Igor Ustinov, etc.
Mitigation Steps
Upgrade immediately: 3.6.1, 3.5.5, etc. Avoid untrusted PKCS#12/CMS inputs; validate file sizes. For TLS 1.3 compression, set SSL_OP_NO_RX_CERTIFICATE_COMPRESSION. Servers parsing S/MIME or timestamps should patch first due to remote risks.
OpenSSL powers web servers, VPNs, and crypto tools worldwide. Quick updates prevent DoS or worse in production. Check dependencies via package managers.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post OpenSSL Vulnerabilities Allow Remote Attackers to Execute Malicious Code appeared first on Cyber Security News.
