CVE-2025-15467— Stack buffer overflow in CMS (Auth)EnvelopedData parsing
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-15467
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Stack buffer overflow in CMS (Auth)EnvelopedData parsing
Source: NVD (National Vulnerability Database)
Vulnerability Description
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨界内存写
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenSSL 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenSSL是OpenSSL团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL存在安全漏洞,该漏洞源于解析CMS AuthEnvelopedData消息时对AEAD参数处理不当,可能导致栈缓冲区溢出。以下版本受到影响:3.6版本、3.5版本、3.4版本、3.3版本和3.0版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-15467
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Working DoS for CVE-2025-15467 and a docker container to test against | https://github.com/balgan/CVE-2025-15467 | POC Details |
| 2 | Command Execution PoC for OpenSSL Stack buffer overflow CVE-2025-15467 | https://github.com/guiimoraes/CVE-2025-15467 | POC Details |
| 3 | None | https://github.com/MAXI8594/CVE-2025-15467_Scan | POC Details |
| 4 | discovery tool (powershell) | https://github.com/mr-r3b00t/CVE-2025-15467 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-15467
请登录查看更多情报信息。
- https://openssl-library.org/news/secadv/20260127.txtvendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-15467
Same Patch Batch · OpenSSL · 2026-01-27 · 12 CVEs total
| CVE-2026-22795 | Missing ASN1_TYPE validation in PKCS#12 parsing | |
| CVE-2026-22796 | ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function | |
| CVE-2025-15469 | 'openssl dgst' one-shot codepath silently truncates inputs >16MB | |
| CVE-2025-15468 | NULL dereference in SSL_CIPHER_find() function on unknown cipher ID | |
| CVE-2025-66199 | TLS 1.3 CompressedCertificate excessive memory allocation | |
| CVE-2025-68160 | Heap out-of-bounds write in BIO_f_linebuffer on short writes | |
| CVE-2025-11187 | Improper validation of PBMAC1 parameters in PKCS#12 MAC verification | |
| CVE-2025-69421 | NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function | |
| CVE-2025-69420 | Missing ASN1_TYPE validation in TS_RESP_verify_response() function | |
| CVE-2025-69419 | Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion | |
| CVE-2025-69418 | Unauthenticated/unencrypted trailing bytes with low-level OCB function calls |
IV. Related Vulnerabilities
Same product: OpenSSL
- CVE-2026-31790
Incorrect Failure Handling in RSA KEM RSASVE Encapsulation - CVE-2026-31789
Heap Buffer Overflow in Hexadecimal Conversion - CVE-2026-28390
Possible NULL Dereference When Processing CMS KeyTransportRe - CVE-2026-28389
Possible NULL Dereference When Processing CMS KeyAgreeRecipi - CVE-2026-28388
NULL Pointer Dereference When Processing a Delta CRL
Same vendor: OpenSSL
- CVE-2026-31790
Incorrect Failure Handling in RSA KEM RSASVE Encapsulation - CVE-2026-31789
Heap Buffer Overflow in Hexadecimal Conversion - CVE-2026-28390
Possible NULL Dereference When Processing CMS KeyTransportRe - CVE-2026-28389
Possible NULL Dereference When Processing CMS KeyAgreeRecipi - CVE-2026-28388
NULL Pointer Dereference When Processing a Delta CRL
V. Comments for CVE-2025-15467
No comments yet