Login Sign Up

CVE-2025-15467

9.8 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

This vulnerability allows attackers to trigger a stack buffer overflow by sending maliciously crafted CMS AuthEnvelopedData messages with oversized IV parameters. Applications and services parsing untrusted CMS or PKCS#7 content using AEAD ciphers like AES-GCM are vulnerable. The overflow occurs before authentication, requiring no valid key material to trigger.

💻 Affected Systems

Products:
  • OpenSSL
Versions: 3.0, 3.3, 3.4, 3.5, 3.6
Operating Systems: All platforms running affected OpenSSL versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects CMS AuthEnvelopedData parsing with AEAD ciphers. FIPS modules are not affected. OpenSSL 1.1.1 and 1.0.2 are not vulnerable.

📦 What is this software?

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise

🟠

Likely Case

Denial of service through application crashes

🟢

If Mitigated

Application crash without code execution if stack protections are enabled

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No valid key material required to trigger overflow. Exploitability for RCE depends on platform mitigations like ASLR and stack canaries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check OpenSSL security advisories for specific patched versions

Vendor Advisory: https://www.openssl.org/news/secadv/

Restart Required: Yes

Instructions:

1. Check current OpenSSL version
2. Update to patched version via package manager
3. Restart affected services
4. Recompile applications if statically linked

🔧 Temporary Workarounds

Disable CMS AuthEnvelopedData parsing

all

Configure applications to reject or not process CMS AuthEnvelopedData messages

Application-specific configuration required

🧯 If You Can't Patch

  • Implement network filtering to block CMS AuthEnvelopedData messages
  • Use application-level input validation to reject oversized IV parameters

🔍 How to Verify

Check if Vulnerable:

Check OpenSSL version with 'openssl version' command

Check Version:

openssl version

Verify Fix Applied:

Verify version is not in affected range (3.0-3.6) or has been patched

📡 Detection & Monitoring

Log Indicators:

  • Application crashes
  • Stack overflow errors
  • Memory corruption warnings

Network Indicators:

  • CMS AuthEnvelopedData messages with large IV parameters

SIEM Query:

Application logs containing 'segmentation fault', 'stack overflow', or 'buffer overflow' near CMS parsing events

📊 Metadata

CVE ID: CVE-2025-15467
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
EPSS Score: 0.66% exploit probability (70.7th percentile)
Published: January 27, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15467, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)