Login Sign Up

CVE-2025-69419

7.4 HIGH

📋 TL;DR

This OpenSSL vulnerability allows memory corruption via a malicious PKCS#12 file containing non-ASCII BMP characters in the friendly name field. When PKCS12_get_friendlyname() processes such files, it can write one byte outside the allocated buffer, potentially causing denial of service. Applications using OpenSSL's PKCS12_get_friendlyname() API with untrusted PKCS#12 files are affected.

💻 Affected Systems

Products:
  • OpenSSL
Versions: OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1
Operating Systems: All operating systems using affected OpenSSL versions
Default Config Vulnerable: ⚠️ Yes
Notes: FIPS modules are not affected. OpenSSL 1.0.2 is not vulnerable. Only PKCS12_get_friendlyname() is vulnerable, not PKCS12_parse().

📦 What is this software?

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to application crash (denial of service) or potentially arbitrary code execution in specific memory layouts.

🟠

Likely Case

Application crash or denial of service due to heap corruption when processing malicious PKCS#12 files.

🟢

If Mitigated

No impact if applications don't use PKCS12_get_friendlyname() or only process trusted PKCS#12 files.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires attacker to supply malicious PKCS#12 file to vulnerable application. Only one zero byte write occurs before buffer.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in latest versions via commits referenced in CVE

Vendor Advisory: https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296

Restart Required: Yes

Instructions:

1. Update OpenSSL to latest patched version. 2. Recompile applications linking against OpenSSL. 3. Restart affected services.

🔧 Temporary Workarounds

Avoid PKCS12_get_friendlyname()

all

Modify applications to use PKCS12_parse() instead of PKCS12_get_friendlyname() when processing untrusted PKCS#12 files.

Input Validation

all

Validate PKCS#12 files before processing, rejecting files with non-ASCII BMP characters in friendly name fields.

🧯 If You Can't Patch

  • Implement strict input validation for PKCS#12 files, rejecting any with non-ASCII BMP characters
  • Use network controls to prevent untrusted PKCS#12 files from reaching vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check OpenSSL version with 'openssl version'. If version is 3.6, 3.5, 3.4, 3.3, 3.0, or 1.1.1, system is vulnerable.

Check Version:

openssl version

Verify Fix Applied:

Verify OpenSSL version is updated beyond vulnerable versions. Test with sample PKCS#12 files containing non-ASCII BMP characters.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing PKCS#12 files
  • Memory corruption errors in application logs

Network Indicators:

  • Unexpected PKCS#12 file transfers to systems using OpenSSL

SIEM Query:

Search for application crashes with OpenSSL/PKCS12 context or memory corruption errors

📊 Metadata

CVE ID: CVE-2025-69419
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-787
EPSS Score: 0.06% exploit probability (17.4th percentile)
Published: January 27, 2026
Last Updated: February 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69419, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)