CVE-2025-15469
- Source
- https://cve.org/CVERecord?id=CVE-2025-15469
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15469.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-15469
- Downstream
- Related
- Published
- 2026-01-27T16:16:14.523Z
- Modified
- 2026-02-04T22:45:57.193252Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error.
Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated.
When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath.
The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected.
The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary.
OpenSSL 3.5 and 3.6 are vulnerable to this issue.
OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.
- References
Affected packages
Git / github.com/openssl/openssl
Affected versions
3.*
3.5-POST-CLANG-FORMAT-WEBKIT
3.5-PRE-CLANG-FORMAT-WEBKIT
3.6-POST-CLANG-FORMAT-WEBKIT
3.6-PRE-CLANG-FORMAT-WEBKIT
openssl-3.*
openssl-3.5.0
openssl-3.5.1
openssl-3.5.2
openssl-3.5.3
openssl-3.5.4
openssl-3.6.0
Database specific
vanir_signatures
[
{
"target": {
"file": "apps/pkeyutl.c",
"function": "pkeyutl_main"
},
"id": "CVE-2025-15469-10f1bc70",
"source": "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f",
"digest": {
"length": 10857.0,
"function_hash": "212228841673431056146465126541337533815"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "apps/dgst.c",
"function": "do_fp_oneshot_sign"
},
"id": "CVE-2025-15469-18503972",
"source": "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f",
"digest": {
"length": 1198.0,
"function_hash": "88977091618643355030458455526359446145"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "apps/include/apps.h"
},
"id": "CVE-2025-15469-2754f23a",
"source": "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"227258810690806335023709467440286937986",
"232207871338832115308861135636948768941",
"25478977988942185872237915964140765082",
"317101125628261075216842366223898645214"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "apps/pkeyutl.c",
"function": "do_raw_keyop"
},
"id": "CVE-2025-15469-357415c0",
"source": "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61",
"digest": {
"length": 2106.0,
"function_hash": "250528554950089641273639263094309425490"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "apps/pkeyutl.c",
"function": "pkeyutl_main"
},
"id": "CVE-2025-15469-482bc178",
"source": "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61",
"digest": {
"length": 10877.0,
"function_hash": "221736045798794370953419892458565511990"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "apps/pkeyutl.c",
"function": "do_raw_keyop"
},
"id": "CVE-2025-15469-5826e2b9",
"source": "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f",
"digest": {
"length": 2106.0,
"function_hash": "250528554950089641273639263094309425490"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "apps/pkeyutl.c"
},
"id": "CVE-2025-15469-635e3fcd",
"source": "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61",
"digest": {
"threshold": 0.9,
"line_hashes": [
"305924987350381295789107983526275131157",
"178429892547339982574360161656332596125",
"334199488807297436420901136928416588618",
"299354725958646694728211751187427750044",
"102823356912437616249303678018106411397",
"284891280395261345304781960262262131016",
"269583926299159990607681024398477742242",
"15001667330662635548189009938367789847",
"24829520073120363856704180037135357028",
"251421544922898217684784406150638670641",
"70376878669662900373781755177756958707",
"308070734347971949675615084507027332180",
"195699910136187893597277994991245552039",
"124677722259414841502577401939012354992",
"204730702772995237958083299784600007211",
"97559071865453719088460236986359419759",
"181830799189847499881058586683682393087",
"255798367455813954187450055419539196126",
"16976051906099164600071256996601524790",
"60997279368018373322540201782970052046",
"119112814736924418154120184761168445526",
"177048193871406516803941824197920132802",
"328533803064093723412201814823034489844",
"74993187985359849467882936824543486732",
"27660370578531579675285801460524771059",
"4137398993908373553781930419111371019",
"95899803239524010464161610685887064762",
"155841087565880550807786160177063075480",
"189578760573374130829792641089190481007",
"275837860039241942852612136978339070565",
"224995211624061404133958704868360917155",
"195992284887328762241802353892062571357",
"285186859958220356354701703795166542818",
"45612756563373322592121550442955224459",
"271496094830856099272576289787868329005",
"294540813307711543972274950353565640757",
"125788737158127102749994868809905157797",
"179711066325042513081554061577626183161",
"15909391535600768286658177385461346827",
"45570690022461346361129612774315299843",
"25535134466604188193311015340771630800",
"51323777660847153809787621242828812097",
"11100169014847010961702439058627461935",
"140480802037399458574488697331797796629",
"58116529351025822842778752402063741040",
"31083107422838222196971811467025043317",
"133953687781203631228018723039629339611",
"252568670714053692954236980990721792441",
"135233649706706311060384527277004819292",
"205600080300099230180301934520145556205",
"179974065674737221214001470494118362671",
"162038941642900330596661659958742453746",
"160984483865709310531705956472499878717",
"311066517750144352583973367015849341192",
"103848847026781116507714441906592712030",
"159470526370639918302015357193498698610",
"282111153419982954304585527368311373799",
"242549317190591448467135024141066397361",
"237048065734516515952722119408189329011",
"64907335567016084136603847842162209336",
"225147766155990291569246560966745027579",
"238485743722946176194053757294880590841",
"114471220936058235084023558658508754833",
"271399186946538914865532273137687812314"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "apps/dgst.c"
},
"id": "CVE-2025-15469-68594445",
"source": "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"337195744894306731172021192417435862251",
"262394556558287772314649309373811514643",
"131024702825821257845902063367515473353",
"288573058171361063150524539259214592560",
"179777289355070181179699556959266343573",
"256660793303826506045551337835334325047",
"74864485953486525813400030151435969831",
"275629639833652181820759152089870424484"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "apps/include/apps.h"
},
"id": "CVE-2025-15469-7e9db0c9",
"source": "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61",
"digest": {
"threshold": 0.9,
"line_hashes": [
"227258810690806335023709467440286937986",
"232207871338832115308861135636948768941",
"25478977988942185872237915964140765082",
"317101125628261075216842366223898645214"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "apps/lib/apps.c"
},
"id": "CVE-2025-15469-88576e9d",
"source": "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"178886424368849781187412812707202184078",
"23907489613037874445007566035555891586",
"182764102215067014697744721983229066906",
"82399995305919947935205152326475960686",
"71588919673915059909292174853044946237",
"32611167303499820271332185436103491520",
"177841201292886486291820156043013791501",
"297649404630470658117338181993628361419",
"326736254106452769402977505444159961894",
"98887668352931737995684887232340809848",
"123486537405338709783094797063550746566",
"291623867627072088070286490428747429457",
"36207368432447556700105376988218398504",
"247915130002305598966585099115408693609",
"193385446925121018419184397535548167043",
"46606481160145738244165931400422726345",
"141400689923202815549674615471905383502",
"268504774933357644608394363609011585922",
"212080980809755009407987893521739759700",
"136287681586360532644587184728530580922",
"65250579744754714764890425224934837896",
"148790965055453146303199808337229945562",
"323065588300368459376223122243898560817",
"15333796609996291974640636470945159304",
"7330470789393717162416320201632523778",
"11335824232892660569393143526652284109",
"11674407262196627670746587681639995393",
"117413260887347820311037900883071041462",
"146326415103361981751503794603551924722",
"236627740946537219547978115795130561196",
"16615343955239754372823734685894223813",
"175089399861240446091329919473304336607",
"168784334714895209896887233805677354874",
"213602784469686040789068867945726022151",
"222297415360394044252561579248714757510",
"260354428503011189831954012014202403302",
"546498257156615346400657585511580626",
"160522790281106810873815685667536512002",
"294073175683426529675147728638047430873",
"326747957018626443186779671311497424377"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "apps/lib/apps.c"
},
"id": "CVE-2025-15469-b5a2a3b4",
"source": "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61",
"digest": {
"threshold": 0.9,
"line_hashes": [
"178886424368849781187412812707202184078",
"23907489613037874445007566035555891586",
"182764102215067014697744721983229066906",
"82399995305919947935205152326475960686",
"71588919673915059909292174853044946237",
"32611167303499820271332185436103491520",
"177841201292886486291820156043013791501",
"297649404630470658117338181993628361419",
"326736254106452769402977505444159961894",
"98887668352931737995684887232340809848",
"123486537405338709783094797063550746566",
"291623867627072088070286490428747429457",
"36207368432447556700105376988218398504",
"247915130002305598966585099115408693609",
"193385446925121018419184397535548167043",
"46606481160145738244165931400422726345",
"141400689923202815549674615471905383502",
"268504774933357644608394363609011585922",
"212080980809755009407987893521739759700",
"136287681586360532644587184728530580922",
"65250579744754714764890425224934837896",
"148790965055453146303199808337229945562",
"323065588300368459376223122243898560817",
"15333796609996291974640636470945159304",
"7330470789393717162416320201632523778",
"11335824232892660569393143526652284109",
"11674407262196627670746587681639995393",
"117413260887347820311037900883071041462",
"146326415103361981751503794603551924722",
"236627740946537219547978115795130561196",
"16615343955239754372823734685894223813",
"175089399861240446091329919473304336607",
"168784334714895209896887233805677354874",
"213602784469686040789068867945726022151",
"222297415360394044252561579248714757510",
"260354428503011189831954012014202403302",
"546498257156615346400657585511580626",
"160522790281106810873815685667536512002",
"294073175683426529675147728638047430873",
"326747957018626443186779671311497424377"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "apps/dgst.c"
},
"id": "CVE-2025-15469-b89c8eee",
"source": "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61",
"digest": {
"threshold": 0.9,
"line_hashes": [
"337195744894306731172021192417435862251",
"262394556558287772314649309373811514643",
"131024702825821257845902063367515473353",
"288573058171361063150524539259214592560",
"179777289355070181179699556959266343573",
"256660793303826506045551337835334325047",
"74864485953486525813400030151435969831",
"275629639833652181820759152089870424484"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
},
{
"target": {
"file": "apps/dgst.c",
"function": "do_fp_oneshot_sign"
},
"id": "CVE-2025-15469-bf5d07db",
"source": "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61",
"digest": {
"length": 1198.0,
"function_hash": "88977091618643355030458455526359446145"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "apps/lib/apps.c",
"function": "bio_to_mem"
},
"id": "CVE-2025-15469-d0e89092",
"source": "https://github.com/openssl/openssl/commit/a7936fa4bd23c906e1955a16a0a0ab39a4953a61",
"digest": {
"length": 668.0,
"function_hash": "291382975425298623792273732029893643914"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "apps/lib/apps.c",
"function": "bio_to_mem"
},
"id": "CVE-2025-15469-d88418ea",
"source": "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f",
"digest": {
"length": 668.0,
"function_hash": "291382975425298623792273732029893643914"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function"
},
{
"target": {
"file": "apps/pkeyutl.c"
},
"id": "CVE-2025-15469-e08c6bc5",
"source": "https://github.com/openssl/openssl/commit/310f305eb92ea8040d6b3cb75a5feeba8e6acf2f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"305924987350381295789107983526275131157",
"178429892547339982574360161656332596125",
"334199488807297436420901136928416588618",
"299354725958646694728211751187427750044",
"102823356912437616249303678018106411397",
"284891280395261345304781960262262131016",
"269583926299159990607681024398477742242",
"15001667330662635548189009938367789847",
"24829520073120363856704180037135357028",
"251421544922898217684784406150638670641",
"70376878669662900373781755177756958707",
"308070734347971949675615084507027332180",
"195699910136187893597277994991245552039",
"124677722259414841502577401939012354992",
"204730702772995237958083299784600007211",
"97559071865453719088460236986359419759",
"181830799189847499881058586683682393087",
"255798367455813954187450055419539196126",
"16976051906099164600071256996601524790",
"60997279368018373322540201782970052046",
"119112814736924418154120184761168445526",
"177048193871406516803941824197920132802",
"328533803064093723412201814823034489844",
"74993187985359849467882936824543486732",
"27660370578531579675285801460524771059",
"4137398993908373553781930419111371019",
"95899803239524010464161610685887064762",
"155841087565880550807786160177063075480",
"189578760573374130829792641089190481007",
"275837860039241942852612136978339070565",
"224995211624061404133958704868360917155",
"195992284887328762241802353892062571357",
"285186859958220356354701703795166542818",
"45612756563373322592121550442955224459",
"271496094830856099272576289787868329005",
"294540813307711543972274950353565640757",
"125788737158127102749994868809905157797",
"179711066325042513081554061577626183161",
"15909391535600768286658177385461346827",
"45570690022461346361129612774315299843",
"25535134466604188193311015340771630800",
"51323777660847153809787621242828812097",
"99593067976283425185378772201045598987",
"150000257433117690522471857706870034759",
"95552869319419170665353400043456929380",
"227391375539725111263085281264533994554",
"309258111232337663027406413051321433930",
"239690125624602263916155109372206478636",
"93120705895338281462202469042622493923",
"123172333622133718280812036304609317765",
"160984483865709310531705956472499878717",
"311066517750144352583973367015849341192",
"103848847026781116507714441906592712030",
"159470526370639918302015357193498698610",
"282111153419982954304585527368311373799",
"242549317190591448467135024141066397361",
"237048065734516515952722119408189329011",
"64907335567016084136603847842162209336",
"225147766155990291569246560966745027579",
"238485743722946176194053757294880590841",
"114471220936058235084023558658508754833",
"271399186946538914865532273137687812314"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-15469.json"