9.8

CVE-2025-15467

Medienbericht
Exploit

Stack buffer overflow in CMS (Auth)EnvelopedData parsing

Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with
maliciously crafted AEAD parameters can trigger a stack buffer overflow.

Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code execution.

When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as
AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is
copied into a fixed-size stack buffer without verifying that its length fits
the destination. An attacker can supply a crafted CMS message with an
oversized IV, causing a stack-based out-of-bounds write before any
authentication or tag verification occurs.

Applications and services that parse untrusted CMS or PKCS#7 content using
AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.
Because the overflow occurs prior to authentication, no valid key material
is required to trigger it. While exploitability to remote code execution
depends on platform and toolchain mitigations, the stack-based write
primitive represents a severe risk.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenSSLOpenSSL Version >= 3.0.0 < 3.0.19
OpenSSLOpenSSL Version >= 3.1.0 < 3.3.6
OpenSSLOpenSSL Version >= 3.4.0 < 3.4.4
OpenSSLOpenSSL Version >= 3.5.0 < 3.5.5
OpenSSLOpenSSL Version >= 3.6.0 < 3.6.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 47.62% 0.987
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
22.04.2026 11:02
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
02.03.2026 15:39
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
02.02.2026 09:52
https://openssl-library.org/news/secadv/20260127.txt
Vendor Advisory
https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703
Patch
https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9
Patch
https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3
Patch
https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e
Patch
https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc
Patch
http://www.openwall.com/lists/oss-security/2026/01/27/10
Mailing List
https://access.redhat.com/errata/RHSA-2026:1736
https://access.redhat.com/errata/RHSA-2026:2485
https://access.redhat.com/errata/RHSA-2026:2072
https://access.redhat.com/errata/RHSA-2026:2563
https://access.redhat.com/errata/RHSA-2026:2844
https://access.redhat.com/errata/RHSA-2026:2659
https://access.redhat.com/errata/RHSA-2026:2633
https://access.redhat.com/errata/RHSA-2026:2671
http://www.openwall.com/lists/oss-security/2026/02/25/6
Mailing List
https://access.redhat.com/errata/RHSA-2026:2974
https://access.redhat.com/errata/RHSA-2026:3461
https://access.redhat.com/errata/RHSA-2026:3462
https://access.redhat.com/errata/RHSA-2026:3415
https://access.redhat.com/errata/RHSA-2026:4943
https://access.redhat.com/errata/RHSA-2026:4419
https://github.com/guiimoraes/CVE-2025-15467
Third Party Advisory
Exploit
https://cert-portal.siemens.com/productcert/html/ssa-434797.html
https://access.redhat.com/errata/RHSA-2026:1472
https://access.redhat.com/errata/RHSA-2026:1473
https://access.redhat.com/errata/RHSA-2026:1496
https://access.redhat.com/errata/RHSA-2026:1503
https://access.redhat.com/errata/RHSA-2026:1519
https://access.redhat.com/errata/RHSA-2026:1594
https://access.redhat.com/errata/RHSA-2026:1733
https://access.redhat.com/errata/RHSA-2026:2077
https://access.redhat.com/errata/RHSA-2026:2995
https://access.redhat.com/errata/RHSA-2026:3228
https://access.redhat.com/errata/RHSA-2026:6481
https://access.redhat.com/errata/RHSA-2026:7261
https://access.redhat.com/security/cve/CVE-2025-15467
https://bugzilla.redhat.com/show_bug.cgi?id=2430376
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-15467.json