CVE-2025-15467
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2026-01-27

Last updated on: 2026-05-07

Assigner: OpenSSL Software Foundation

Description
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-05-07
Generated
2026-05-27
AI Q&A
2026-01-28
EPSS Evaluated
2026-05-25
NVD
CVE-2025-15467
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
openssl openssl From 3.0.0 (inc) to 3.0.19 (exc)
openssl openssl From 3.4.0 (inc) to 3.4.4 (exc)
openssl openssl From 3.5.0 (inc) to 3.5.5 (exc)
openssl openssl From 3.6.0 (inc) to 3.6.1 (exc)
openssl openssl From 3.1.0 (inc) to 3.3.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-15467 is a high-severity stack buffer overflow vulnerability in OpenSSL's parsing of CMS AuthEnvelopedData messages that use AEAD ciphers like AES-GCM. When processing these messages, the Initialization Vector (IV) encoded in ASN.1 parameters is copied into a fixed-size stack buffer without checking if the IV length fits. An attacker can craft a CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication occurs. This can lead to application crashes or potentially remote code execution depending on platform mitigations. [1]


How can this vulnerability impact me? :

This vulnerability can cause your application or service that parses untrusted CMS or PKCS#7 content using AEAD ciphers to crash, resulting in Denial of Service (DoS). In some cases, it may allow an attacker to execute remote code on your system, which could lead to full compromise depending on your platform and security mitigations. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for the presence of CMS AuthEnvelopedData messages that use AEAD ciphers such as AES-GCM with unusually large Initialization Vectors (IVs) in ASN.1 parameters. Detection involves inspecting CMS or PKCS#7 content parsing processes for malformed or oversized IVs that could trigger the stack buffer overflow. Specific commands are not provided in the resources, but users should analyze network traffic or logs for CMS messages with AEAD encryption and oversized IV fields. Additionally, checking the OpenSSL version in use can help identify if the system is vulnerable (versions 3.6, 3.5, 3.4, 3.3, and 3.0 are vulnerable). [1, 7]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading OpenSSL to the fixed versions: 3.6.1, 3.5.5, 3.4.4, 3.3.6, or 3.0.19, which contain patches that properly validate and handle the IV length in AEAD-encrypted CMS messages. Avoid processing untrusted CMS or PKCS#7 content using vulnerable OpenSSL versions. If upgrading is not immediately possible, consider restricting or monitoring the use of CMS AuthEnvelopedData messages with AEAD ciphers to prevent exploitation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart