CVE-2025-15467
Stack buffer overflow in CMS (Auth)EnvelopedData parsing
Description
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
INFO
Published Date :
Jan. 27, 2026, 4:16 p.m.
Last Modified :
Feb. 25, 2026, 10:16 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update OpenSSL to a patched version.
- Avoid parsing untrusted CMS content.
- Validate IV length before copying.
- Apply vendor security updates promptly.
Public PoC/Exploit Available at Github
CVE-2025-15467 has a 19 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-15467.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-15467 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-15467
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Proof-of-concept exploits and reproduction labs for CVEs analyzed by the Exploit Intelligence Platform
cves exploits proof-of-concept
Shell Python PHP Ruby JavaScript C# Java HTML C GDB
None
Dockerfile TypeScript HCL
None
Dockerfile JavaScript Shell HTML HCL
CLI magic for vulnerabilities & CVEs using the GraphQL API from VMware Tanzu Hub
Go
None
Dockerfile JavaScript PowerShell Shell
Mirror of https://github.com/nomi-sec/PoC-in-GitHub
discovery tool (powershell)
PowerShell
None
Command Execution PoC for OpenSSL Stack buffer overflow CVE-2025-15467
Python Shell
Working DoS for CVE-2025-15467 and a docker container to test against
Python Dockerfile C Shell
CYBERDUDEBIVASH safe scanner parses CMS (PKCS#7 / S/MIME) files using pure ASN.1 decoding — without invoking vulnerable OpenSSL code — and checks for IV lengths exceeding safe thresholds in AuthEnvelopedData with AES-GCM ciphers.
cve cyberdudebivash cyberdudebivashecosystem cybersecurity cybersecurity-tools incident-response openssh openssl pki
Python
None
Python Shell HCL
Scripts, gists, and current projects
Python script using chainctl, grype, and cosign to pull all info needed for upgrading Chainguard images
Python
Hardened Docker AIO Tor Bridge, Relay & Exit Stack 🧅🐋🛡️
anonymity anticensorship cosmos-cloud docker internet-freedom open-source tor-bridges tor-exits tor-hidden-services tor-relay tor-relay-operator tor-relays network-security tor
Shell Dockerfile Edge HTML
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-15467 vulnerability anywhere in the article.
-
Help Net Security
IPFire ships its 200th core update with a new domain blocklist and kernel upgrade
Network firewall distribution IPFire released Core Update 200, marking the 200th incremental update to the 2.29 branch. The release bundles a kernel upgrade, a beta domain blocklist service, security ... Read more
-
Schneier on Security
AI Found Twelve New Vulnerabilities in OpenSSL
The title of the post is”What AI Security Research Looks Like When It Works,” and I agree: In the latest OpenSSL security release> on January 27, 2026, twelve new zero-day vulnerabilities (meaning unk ... Read more
-
CybersecurityNews
OpenSSL Vulnerabilities Allow Remote Attackers to Execute Malicious Code
OpenSSL patched 12 vulnerabilities on January 27, 2026, including one high-severity flaw that could lead to remote code execution. Most issues cause denial-of-service attacks but highlight risks in pa ... Read more
-
Daily CyberSecurity
Pre-Auth RCE Risk: OpenSSL Patches High-Severity Stack Overflow (CVE-2025-15467)
The maintainers of OpenSSL, the cryptographic library that underpins a vast portion of the secure web, have released a sweeping security update to address a dozen vulnerabilities ranging from memory c ... Read more
-
Daily CyberSecurity
Under Attack: Critical Fortinet Auth Bypass (CVE-2026-24858) Exploited in the Wild
Fortinet has issued an urgent warning regarding a critical vulnerability affecting its core network security platforms, including FortiOS, FortiManager, and FortiAnalyzer. The flaw, tracked as CVE-202 ... Read more
-
security.nl
OpenSSL-lek kan remote code execution mogelijk maken
Een kwetsbaarheid in OpenSSL kan in bepaalde gevallen remote code execution mogelijk maken. Er zijn nieuwe versies van de software beschikbaar gesteld waarin het probleem, aangeduid als CVE-2025-15467 ... Read more
The following table lists the changes that have been made to the
CVE-2025-15467 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Feb. 25, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/02/25/6 -
CVE Modified by [email protected]
Feb. 25, 2026
Action Type Old Value New Value Changed Description Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. -
Initial Analysis by [email protected]
Feb. 02, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (excluding) 3.0.19 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.3.0 up to (excluding) 3.3.6 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.4.0 up to (excluding) 3.4.4 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.5.0 up to (excluding) 3.5.5 *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.6.0 up to (excluding) 3.6.1 Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2026/01/27/10 Types: Mailing List Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3 Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e Types: Patch Added Reference Type OpenSSL Software Foundation: https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc Types: Patch Added Reference Type OpenSSL Software Foundation: https://openssl-library.org/news/secadv/20260127.txt Types: Vendor Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jan. 29, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jan. 27, 2026
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2026/01/27/10 -
New CVE Received by [email protected]
Jan. 27, 2026
Action Type Old Value New Value Added Description Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Added CWE CWE-787 Added Reference https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703 Added Reference https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9 Added Reference https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3 Added Reference https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e Added Reference https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc Added Reference https://openssl-library.org/news/secadv/20260127.txt