OPENSSL has issued a sweeping security update addressing a dozen vulnerabilities, with the headline High-severity stack overflow CVE-2025-15467 that could allow remote attackers to execute code on vulnerable systems. The advisory, released to the public, details issues affecting various components, including PKCS#12 handling, CMS parsing, and TLS 1.3 certificate compression.
The most alarming flaw, CVE-2025-15467, is rooted in how OpenSSL processes CMS structures, existing in the handling of AuthEnvelopedData messages that use AEAD ciphers such as AES-GCM. The issue arises when the system attempts to copy the Initialization Vector into a fixed-size buffer; according to the advisory, “Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow”.
Consequently, a stack overflow may lead to a crash, or potentially remote code execution, and this can occur before authentication checks. The update also covers CVE-2025-11187, a moderate vulnerability affecting PKCS#12 verification due to missing validation of PBMAC1 parameters. OpenSSL 3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19 are the recommended upgrades, with patches also available for older premium-supported versions.