Internet Security

OpenSSL issued security updates to fix 12 flaws, including Remote Code Execution

January 29, 2026 add comment

OpenSSL released security updates that address 12 flaws, including a high-severity remote code execution vulnerability.

OpenSSL issued security updates fixing 12 vulnerabilities in the open-source cryptographic library, including a high-severity remote code execution flaw.

Cybersecurity firm Aisle discovered the twelve vulnerabilities.

The addressed issues are mainly tied to memory safety, parsing robustness, and resource handling. The flaws include stack and heap overflows in PKCS#12 and CMS parsing, NULL pointer dereferences and type-confusion bugs in ASN.1, PKCS#7, QUIC, and TimeStamp handling that can cause denial of service, and out-of-bounds writes in auxiliary APIs like BIO filters. OpenSSL also corrected a logic bug in the CLI signing tool that failed to fully authenticate large inputs, a TLS 1.3 certificate compression issue that enabled memory exhaustion, and a low-level OCB mode flaw that could leave data partially unprotected.

The two most severe issues are:

  1. CVE‑2025‑15467 – CMS AuthEnvelopedData AEAD IV stack overflow – A stack buffer overflow in OpenSSL CMS/PKCS#7 AEAD parsing lets attackers supply an oversized IV that overflows a fixed stack buffer before authentication. The flaw can cause DoS or potentially lead to RCE and affects OpenSSL 3.0–3.6 when parsing untrusted AuthEnvelopedData.
  2. CVE‑2025‑11187 – PBMAC1 in PKCS#12 stack overflow / pointer issues – A validation flaw in OpenSSL PKCS#12 PBMAC1 lets attackers abuse PBKDF2 parameters to overflow a fixed 64-byte stack buffer during MAC verification. The issue can trigger DoS and potentially code execution. It affects OpenSSL 3.4–3.6 when parsing untrusted PKCS#12 files.

Other 2026 issues are assessed as Low severity in the bulletin and are primarily constrained to Denial of Service or integrity gaps in narrower usage scenarios (CLI tools, legacy PKCS#7, TimeStamp, BIO filters, OCB low‑level API, PKCS#12 parsing type confusions with DoS‑only impact).

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter