CVE-2025-69421

7.5 HIGH

Denial of Service

📋 TL;DR

A NULL pointer dereference vulnerability in OpenSSL's PKCS12_item_decrypt_d2i_ex() function allows attackers to cause denial of service by providing malformed PKCS#12 files. This affects applications that process PKCS#12 files using vulnerable OpenSSL versions. The vulnerability is limited to crashes and cannot lead to code execution or memory disclosure.

💻 Affected Systems

Products:

OpenSSL

Versions: OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, 1.0.2

Operating Systems: All operating systems using affected OpenSSL versions

Default Config Vulnerable: ⚠️ Yes

Notes: FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are NOT affected. Vulnerability only triggers when processing PKCS#12 files.

📦 What is this software?

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

Openssl by Openssl

OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.

Learn more about Openssl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crashes when processing malicious PKCS#12 files, causing denial of service for services that handle such files.

🟠

Likely Case

Service disruption for applications that process untrusted PKCS#12 files, requiring restart of affected services.

🟢

If Mitigated

No impact if applications don't process PKCS#12 files or use patched OpenSSL versions.

🌐 Internet-Facing: LOW - Requires specific malformed PKCS#12 file processing, limited to DoS only.

🏢 Internal Only: LOW - Same limitations apply, requires processing of malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires providing malformed PKCS#12 file to vulnerable application. No authentication needed if application accepts such files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in commits: 3524a29271f8191b8fd8a5257eb05173982a097b, 36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7, 4bbc8d41a72c842ce4077a8a3eccd1109aaf74bd, 643986985cd1c21221f941129d76fe0c2785aeb3, a2dbc539f0f9cc63832709fa5aa33ad9495eb19c

Vendor Advisory: https://github.com/openssl/openssl/commit/3524a29271f8191b8fd8a5257eb05173982a097b

Restart Required: Yes

Instructions:

1. Update OpenSSL to patched version. 2. Recompile applications linked against OpenSSL. 3. Restart affected services.

🔧 Temporary Workarounds

Disable PKCS#12 file processing

all

Configure applications to not process PKCS#12 files if not required.

Input validation for PKCS#12 files

all

Implement strict validation of PKCS#12 files before processing.

🧯 If You Can't Patch

Implement network controls to block or filter PKCS#12 file uploads to vulnerable applications
Use application-level monitoring to detect and alert on PKCS#12 processing failures

🔍 How to Verify

Check if Vulnerable:

Check OpenSSL version with 'openssl version' and verify if it's in affected range: 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, or 1.0.2

Check Version:

openssl version

Verify Fix Applied:

Verify OpenSSL version is updated beyond vulnerable versions and check if applications can process PKCS#12 files without crashing

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing PKCS#12 files
Segmentation fault errors in application logs
Unexpected service restarts after file processing

Network Indicators:

Unusual PKCS#12 file uploads to applications
Increased failed authentication attempts using certificate files

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "null pointer" OR "crash") AND "PKCS12"

📊 Metadata

CVE ID: CVE-2025-69421

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.06% exploit probability (18.4th percentile)

Published: January 27, 2026

Last Updated: February 28, 2026

🔗 References