SECURITYWEEK reports that OpenSSL has patched a dozen vulnerabilities, all discovered by the cybersecurity firm Aisle. The high-severity issue is tracked as CVE-2025-15467 and is described as a stack buffer overflow that could lead to a crash or remote code execution in certain conditions.
According to the OpenSSL advisory, the overflow occurs when parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, where the IV encoded in ASN.1 parameters is copied into a fixed-size stack buffer without verifying its length. An attacker could supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification.
The releases also address CVE-2025-11187, a moderate-severity issue that could similarly enable DoS or remote code execution, while the remaining flaws are mostly low severity. SecurityWeek notes that most of the fixes relate to DoS potential or to authentication and information exposure, and that six issues had been addressed prior to the affected code’s release.