CVE-2025-15467
Stack buffer overflow in CMS AuthEnvelopedData parsing
Description
Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
INFO
Published Date :
Jan. 27, 2026, 4:16 p.m.
Last Modified :
Feb. 2, 2026, 6:38 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update OpenSSL to a patched version.
- Avoid parsing untrusted CMS content.
- Validate IV length before copying.
- Apply vendor security updates promptly.
Public PoC/Exploit Available at Github
CVE-2025-15467 has a 14 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-15467.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-15467 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-15467
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
CLI magic for vulnerabilities & CVEs using the GraphQL API from VMware Tanzu Hub
Go
None
Dockerfile JavaScript
Mirror of https://github.com/nomi-sec/PoC-in-GitHub
discovery tool (powershell)
PowerShell
None
Command Execution PoC for OpenSSL Stack buffer overflow CVE-2025-15467
Python Shell
Working DoS for CVE-2025-15467 and a docker container to test against
Python Dockerfile C Shell
CYBERDUDEBIVASH safe scanner parses CMS (PKCS#7 / S/MIME) files using pure ASN.1 decoding — without invoking vulnerable OpenSSL code — and checks for IV lengths exceeding safe thresholds in AuthEnvelopedData with AES-GCM ciphers.
cve cyberdudebivash cyberdudebivashecosystem cybersecurity cybersecurity-tools incident-response openssh openssl pki
Python
None
Python Shell HCL
Scripts, gists, and current projects
Python script using chainctl, grype, and cosign to pull all info needed for upgrading Chainguard images
Python
Hardened Docker AIO Tor Bridge, Relay & Exit Stack 🧅🐋🛡️
anonymity anticensorship cosmos-cloud docker internet-freedom open-source tor-bridges tor-exits tor-hidden-services tor-relay tor-relay-operator tor-relays network-security tor
Shell Dockerfile Edge HTML
Model Context Protocol(MCP)サーバーのためのプロダクション対応Docker環境。
Makefile Shell
使用Google Gemini API,对hacker news Top100文章总结摘要并翻译成体中文,每日自动更新。
ai gemini hacker-news hackernews summarizer
Ruby Shell Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-15467 vulnerability anywhere in the article.
-
CybersecurityNews
OpenSSL Vulnerabilities Allow Remote Attackers to Execute Malicious Code
OpenSSL patched 12 vulnerabilities on January 27, 2026, including one high-severity flaw that could lead to remote code execution. Most issues cause denial-of-service attacks but highlight risks in pa ... Read more
-
Daily CyberSecurity
Pre-Auth RCE Risk: OpenSSL Patches High-Severity Stack Overflow (CVE-2025-15467)
The maintainers of OpenSSL, the cryptographic library that underpins a vast portion of the secure web, have released a sweeping security update to address a dozen vulnerabilities ranging from memory c ... Read more
-
Daily CyberSecurity
Under Attack: Critical Fortinet Auth Bypass (CVE-2026-24858) Exploited in the Wild
Fortinet has issued an urgent warning regarding a critical vulnerability affecting its core network security platforms, including FortiOS, FortiManager, and FortiAnalyzer. The flaw, tracked as CVE-202 ... Read more
-
security.nl
OpenSSL-lek kan remote code execution mogelijk maken
Een kwetsbaarheid in OpenSSL kan in bepaalde gevallen remote code execution mogelijk maken. Er zijn nieuwe versies van de software beschikbaar gesteld waarin het probleem, aangeduid als CVE-2025-15467 ... Read more
The following table lists the changes that have been made to the
CVE-2025-15467 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Feb. 02, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (excluding) 3.0.19 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.3.0 up to (excluding) 3.3.6 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.4.0 up to (excluding) 3.4.4 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.5.0 up to (excluding) 3.5.5 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.6.0 up to (excluding) 3.6.1 Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/01/27/10 Types: Mailing List Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc Types: Patch Added Reference Type OpenSSL Software Foundation: https://openssl-library.org/news/secadv/20260127.txt Types: Vendor Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jan. 29, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jan. 27, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/01/27/10 -
New CVE Received by [email protected]
Jan. 27, 2026
Action Type Old Value New Value Added Description Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Added CWE CWE-787 Added Reference https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703 Added Reference https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9 Added Reference https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3 Added Reference https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e Added Reference https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc Added Reference https://openssl-library.org/news/secadv/20260127.txt