CVE-2025-15467
- Source
- https://cve.org/CVERecord?id=CVE-2025-15467
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15467.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-15467
- Downstream
- Related
- Published
- 2026-01-27T16:16:14.257Z
- Modified
- 2026-01-30T22:52:35.564412Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.
When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.
Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
- References
-
- https://openssl-library.org/news/secadv/20260127.txt
- http://www.openwall.com/lists/oss-security/2026/01/27/10
- https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703
- https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9
- https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3
- https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e
- https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc
Affected packages
Git / github.com/openssl/openssl
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openssl/openssl
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixedFixed
Affected versions
3.*
3.0-POST-CLANG-FORMAT-WEBKIT
3.0-PRE-CLANG-FORMAT-WEBKIT
3.3-POST-CLANG-FORMAT-WEBKIT
3.3-PRE-CLANG-FORMAT-WEBKIT
3.4-POST-CLANG-FORMAT-WEBKIT
3.4-PRE-CLANG-FORMAT-WEBKIT
3.5-POST-CLANG-FORMAT-WEBKIT
3.5-PRE-CLANG-FORMAT-WEBKIT
3.6-POST-CLANG-FORMAT-WEBKIT
3.6-PRE-CLANG-FORMAT-WEBKIT
Other
BEFORE_engine
OpenSSL_0_9_1c
OpenSSL_0_9_2b
OpenSSL_0_9_3
OpenSSL_0_9_3a
OpenSSL_0_9_3beta2
OpenSSL_0_9_4
OpenSSL_0_9_5a
OpenSSL_0_9_5a-beta1
OpenSSL_0_9_5a-beta2
OpenSSL_0_9_5beta1
OpenSSL_0_9_5beta2
OpenSSL_0_9_6-beta3
OpenSSL_1_1_0-pre1
OpenSSL_1_1_0-pre2
OpenSSL_1_1_0-pre3
OpenSSL_1_1_0-pre4
OpenSSL_1_1_0-pre5
OpenSSL_1_1_0-pre6
OpenSSL_1_1_1
OpenSSL_1_1_1-pre1
OpenSSL_1_1_1-pre2
OpenSSL_1_1_1-pre3
OpenSSL_1_1_1-pre4
OpenSSL_1_1_1-pre5
OpenSSL_1_1_1-pre6
OpenSSL_1_1_1-pre7
OpenSSL_1_1_1-pre8
OpenSSL_1_1_1-pre9
master-post-auto-reformat
master-post-reformat
master-pre-auto-reformat
master-pre-reformat
openssl-3.*
openssl-3.0.0
openssl-3.0.0-alpha1
openssl-3.0.0-alpha10
openssl-3.0.0-alpha11
openssl-3.0.0-alpha12
openssl-3.0.0-alpha13
openssl-3.0.0-alpha14
openssl-3.0.0-alpha15
openssl-3.0.0-alpha16
openssl-3.0.0-alpha17
openssl-3.0.0-alpha2
openssl-3.0.0-alpha3
openssl-3.0.0-alpha4
openssl-3.0.0-alpha5
openssl-3.0.0-alpha6
openssl-3.0.0-alpha7
openssl-3.0.0-alpha8
openssl-3.0.0-alpha9
openssl-3.0.0-beta1
openssl-3.0.0-beta2
openssl-3.0.1
openssl-3.0.10
openssl-3.0.11
openssl-3.0.12
openssl-3.0.13
openssl-3.0.14
openssl-3.0.15
openssl-3.0.16
openssl-3.0.17
openssl-3.0.18
openssl-3.0.2
openssl-3.0.3
openssl-3.0.4
openssl-3.0.5
openssl-3.0.6
openssl-3.0.7
openssl-3.0.8
openssl-3.0.9
openssl-3.2.0-alpha1
openssl-3.2.0-alpha2
openssl-3.3.0
openssl-3.3.0-alpha1
openssl-3.3.0-beta1
openssl-3.3.1
openssl-3.3.2
openssl-3.3.3
openssl-3.3.4
openssl-3.3.5
openssl-3.4.0
openssl-3.4.0-alpha1
openssl-3.4.0-beta1
openssl-3.4.1
openssl-3.4.2
openssl-3.4.3
openssl-3.5.0
openssl-3.5.0-alpha1
openssl-3.5.0-beta1
openssl-3.5.1
openssl-3.5.2
openssl-3.5.3
openssl-3.5.4
openssl-3.6.0
openssl-3.6.0-alpha1
openssl-3.6.0-beta1
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15467.json"
vanir_signatures
[
{
"source": "https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3",
"digest": {
"length": 397.0,
"function_hash": "261110716343456066027997908770781220296"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "crypto/evp/evp_lib.c",
"function": "evp_cipher_get_asn1_aead_params"
},
"id": "CVE-2025-15467-1e371f18"
},
{
"source": "https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e",
"digest": {
"line_hashes": [
"329585517079468733742312775788864029426",
"327536308535298630924771728884983816353",
"88199777040146306777862072605468896983",
"236713277121956468037986916213201116762",
"270753591454495127952041042908362536807",
"120586877600854545384530917415069442679",
"57068494517769352419947872617133408074"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "crypto/evp/evp_lib.c"
},
"id": "CVE-2025-15467-61300984"
},
{
"source": "https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc",
"digest": {
"length": 397.0,
"function_hash": "261110716343456066027997908770781220296"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "crypto/evp/evp_lib.c",
"function": "evp_cipher_get_asn1_aead_params"
},
"id": "CVE-2025-15467-670a7c72"
},
{
"source": "https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc",
"digest": {
"line_hashes": [
"329585517079468733742312775788864029426",
"327536308535298630924771728884983816353",
"88199777040146306777862072605468896983",
"236713277121956468037986916213201116762",
"270753591454495127952041042908362536807",
"120586877600854545384530917415069442679",
"57068494517769352419947872617133408074"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "crypto/evp/evp_lib.c"
},
"id": "CVE-2025-15467-7419a4ad"
},
{
"source": "https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9",
"digest": {
"length": 397.0,
"function_hash": "261110716343456066027997908770781220296"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "crypto/evp/evp_lib.c",
"function": "evp_cipher_get_asn1_aead_params"
},
"id": "CVE-2025-15467-8bf47941"
},
{
"source": "https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3",
"digest": {
"line_hashes": [
"329585517079468733742312775788864029426",
"327536308535298630924771728884983816353",
"88199777040146306777862072605468896983",
"236713277121956468037986916213201116762",
"270753591454495127952041042908362536807",
"120586877600854545384530917415069442679",
"57068494517769352419947872617133408074"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "crypto/evp/evp_lib.c"
},
"id": "CVE-2025-15467-94831191"
},
{
"source": "https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9",
"digest": {
"line_hashes": [
"329585517079468733742312775788864029426",
"327536308535298630924771728884983816353",
"88199777040146306777862072605468896983",
"236713277121956468037986916213201116762",
"270753591454495127952041042908362536807",
"120586877600854545384530917415069442679",
"57068494517769352419947872617133408074"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "crypto/evp/evp_lib.c"
},
"id": "CVE-2025-15467-adc28bb0"
},
{
"source": "https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703",
"digest": {
"line_hashes": [
"329585517079468733742312775788864029426",
"327536308535298630924771728884983816353",
"88199777040146306777862072605468896983",
"236713277121956468037986916213201116762",
"270753591454495127952041042908362536807",
"120586877600854545384530917415069442679",
"57068494517769352419947872617133408074"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "crypto/evp/evp_lib.c"
},
"id": "CVE-2025-15467-bceb1912"
},
{
"source": "https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703",
"digest": {
"length": 397.0,
"function_hash": "261110716343456066027997908770781220296"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "crypto/evp/evp_lib.c",
"function": "evp_cipher_get_asn1_aead_params"
},
"id": "CVE-2025-15467-f075c03c"
},
{
"source": "https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e",
"digest": {
"length": 397.0,
"function_hash": "261110716343456066027997908770781220296"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "crypto/evp/evp_lib.c",
"function": "evp_cipher_get_asn1_aead_params"
},
"id": "CVE-2025-15467-f8e81b92"
}
]