OPENSSL released security updates that address 12 vulnerabilities in the open-source cryptographic library, including a high-severity remote code execution flaw. The disclosures note that the issues are primarily related to memory safety, parsing robustness, and resource handling, with flaws such as stack and heap overflows in PKCS#12 and CMS parsing, and NULL pointer dereferences and type-confusion in ASN.1, PKCS#7, QUIC, and TimeStamp handling.
OpenSSL also corrected a logic bug in the CLI signing tool that could fail to fully authenticate large inputs, a TLS 1.3 certificate compression issue that could cause memory exhaustion, and a low-level OCB mode flaw that might leave data partially unprotected.
Two of the most severe issues are CVE-2025-15467, a CMS AuthEnvelopedData AEAD IV stack overflow that can lead to DoS or potentially RCE in OpenSSL 3.0–3.6 when parsing untrusted AuthEnvelopedData, and CVE-2025-11187, a PKCS#12 PBMAC1 stack overflow that could cause DoS or code execution. The article attributes the discovery to Cybersecurity firm Aisle and was published by Security Affairs on 29 January 2026.