OpenSSL Flaws Allow Remote Attackers to Execute Code
OpenSSL issued patches for 12 vulnerabilities on January 27, 2026. This extensive update includes one high-severity flaw that could enable remote code execution. While most of the identified issues...
OpenSSL issued patches for 12 vulnerabilities on January 27, 2026. This extensive update includes one high-severity flaw that could enable remote code execution. While most of the identified issues could lead to denial-of-service attacks, they collectively emphasize the inherent dangers when parsing untrusted data.
The most serious issue, CVE-2025-15467, hits CMS AuthEnvelopedData parsing with AEAD ciphers like AES-GCM. Attackers craft oversized IVs in ASN.1 parameters, causing stack overflows before authentication checks. This leads to crashes or potential remote code execution on apps handling untrusted CMS or PKCS#7 data, such as S/MIME.
Apps parsing remote CMS content face high risk since no key is needed to trigger the overflow. Exploitability depends on platform defenses like ASLR, but the stack write primitive poses severe danger. OpenSSL rated it High severity.
CVE-2025-11187 involves improper PBMAC1 validation in PKCS#12 files, leading to stack overflows or null dereferences in versions 3.6 to 3.4. Malicious files trigger buffer overflows during key derivation if keylength exceeds 64 bytes.
Several low-severity issues like CVE-2025-69419, CVE-2025-69421, and CVE-2026-22795 also hit PKCS#12 handling, causing out-of-bounds writes or null derefs.
| CVE ID | Severity | Brief Impact | Affected Versions | Patched Versions |
|---|---|---|---|---|
| CVE-2025-11187 | Moderate | Stack overflow in PKCS#12 MAC | 3.6, 3.5, 3.4 | 3.6.1, 3.5.5, 3.4.4 |
| CVE-2025-15467 | High | Stack overflow in CMS parsing | 3.6-3.0 | 3.6.1, 3.5.5, 3.4.4, 3.3.6, 3.0.19 |
| CVE-2025-15468 | Low | Null deref in QUIC cipher lookup | 3.6, 3.5, 3.4, 3.3 | 3.6.1, 3.5.5, 3.4.4, 3.3.6 |
| CVE-2025-15469 | Low | dgst tool truncates large inputs | 3.6, 3.5 | 3.6.1, 3.5.5 |
| CVE-2025-66199 | Low | TLS 1.3 cert compression DoS | 3.6, 3.5, 3.4, 3.3 | 3.6.1, 3.5.5, 3.4.4, 3.3.6 |
| CVE-2025-68160 | Low | Heap OOB write in BIO linebuffer | 3.6-3.0, 1.1.1, 1.0.2 | 3.6.1-3.0.19, 1.1.1ze, 1.0.2zn |
| CVE-2025-69418 | Low | OCB tail bytes unencrypted | 3.6-3.0, 1.1.1 | 3.6.1-3.0.19, 1.1.1ze |
| CVE-2025-69419 | Low | OOB write in PKCS12 friendlyname | 3.6-3.0, 1.1.1 | 3.6.1-3.0.19, 1.1.1ze |
| CVE-2025-69420 | Low | Null deref in timestamp verify | 3.6-3.0, 1.1.1 | 3.6.1-3.0.19, 1.1.1ze |
| CVE-2025-69421 | Low | Null deref in PKCS12 decrypt | 3.6-3.0, 1.1.1, 1.0.2 | 3.6.1-3.0.19, 1.1.1ze, 1.0.2zn |
| CVE-2026-22795 | Low | Type confusion in PKCS#12 | 3.6-3.0, 1.1.1 | 3.6.1-3.0.19, 1.1.1ze |
| CVE-2026-22796 | Low | Type confusion in PKCS7 digest | 3.6-3.0, 1.1.1, 1.0.2 | 3.6.1-3.0.19, 1.1.1ze, 1.0.2zn |
These hit parsing untrusted PKCS#12, PKCS#7, timestamps, or niche APIs. Most need crafted inputs, limiting remote exploits to specific setups, reads the advisory.
Vulnerabilities span OpenSSL 3.6 to 1.0.2, excluding older branches without features like PBMAC1 or QUIC. FIPS modules stay safe as the affected code sits outside boundaries.
Aisle Research found nearly all flaws, with Stanislav Fort reporting the most. Others credit Luigino Camastra, Petr Šimeček, Tomas Dulka, and Hamza (Metadust). Fixes by Tomas Mraz, Igor Ustinov, etc.
Mitigation Steps
Upgrade immediately: 3.6.1, 3.5.5, etc. Avoid untrusted PKCS#12/CMS inputs; validate file sizes. For TLS 1.3 compression, set SSL_OP_NO_RX_CERTIFICATE_COMPRESSION. Servers parsing S/MIME or timestamps should patch first due to remote risks.
OpenSSL powers web servers, VPNs, and crypto tools worldwide. Quick updates prevent DoS or worse in production. Check dependencies via package managers.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.