Nick Frichette Staff Security Researcher LAST UPDATED January 28, 2026 Today, on January 27th, 2026, the OpenSSL project published details on vulnerabilities affecting the OpenSSL Software Library. Impacted versions include 1.0.2, 1.1.1, and the 3.x series (3.0, 3.3, 3.4, 3.5, and 3.6). The disclosure covers one high-severity, one moderate-severity, and 10 low-severity issues. The high-severity vulnerability could lead to remote code execution (RCE) and is the first RCE issue to receive this severity designation from OpenSSL since CVE-2022-3602 . While the most realistic real-world impact across these issues is denial of service (DoS), the vulnerabilities are relevant to any environment that parses untrusted Cryptographic Message Syntax (CMS) or PKCS#12 data using affected OpenSSL versions. Tooling that may ingest these formats include S/MIME gateways, certificate import/export services, PKI/CA tooling, or apps that accept uploaded CMS/PKCS#12 files. Key points and observations CVE-2025-15467 (High): A pre-authentication stack buffer overflow in CMS AuthEnvelopedData AEAD parsing affecting OpenSSL 3.0, 3.3, 3.4, 3.5, 3.6. FIPS modules for the 3.x series are not affected by this issue. A crafted CMS message with an oversized IV can trigger a crash and potentially enable code execution. CVE-2025-11187 (Moderate): A stack buffer overflow during PKCS#12 MAC verification when PBKDF2 key length is attacker-controlled, leading to denial of service or potentially RCE. This affects OpenSSL 3.4, 3.5, and 3.6. The FIPS modules in the 3.x series are not affected by this issue. How to know if you are affected You may be impacted if your application or service: Parses untrusted CMS AuthEnvelopedData , commonly used in S/MIME and PKCS#7 workflows (for example, S/MIME-capable mail clients or email security gateways that decrypt inbound encrypted email) Verifies MACs on untrusted PKCS#12 files, such as during certificate import The table below summarizes the affected versions: CVE Affected versions Vulnerable surface CVE-2025-15467 3.0, 3.3, 3.4, 3.5, 3.6 CMS AuthEnvelopedData AEAD params CVE-2025-11187 3.4, 3.5, 3.6 PKCS#12 PBMAC1 MAC verification Additional version notes: OpenSSL 3.0 and 3.3 are not affected by CVE-2025-11187 because they do not support PBMAC1 in PKCS#12. None of the FIPS modules are affected by these vulnerabilities. If your OS/base image includes a vulnerable OpenSSL build , then any application that uses that OpenSSL to parse untrusted CMS AuthEnvelopedData or PKCS#12 inputs may be affected. If you only use OpenSSL for TLS handshakes (and never accept CMS/PKCS#12 from untrusted sources), these issues are unlikely to be reachable. If you’re using an application runtime that packages its own OpenSSL version , such as Node.js , you need to upgrade the runtime itself. Upgrading the operating system openssl package is not enough. Other languages like Go use their own TLS implementation and do not leverage OpenSSL. Consequently, these are not affected. Rust applications need to be handled on a case-by-case basis, since they can either use the rustls implementation or the OpenSSL bindings using the system-wide version. For provider-specific guidance, refer to the specific security bulletins. Analysis and exploitation of the vulnerabilities CVE-2025-15467: CMS AuthEnvelopedData AEAD IV stack overflow CMS AuthEnvelopedData combines encryption and authentication and is commonly used in S/MIME . When AEAD ciphers such as AES-GCM are selected, the IV is carried in ASN.1 parameters alongside the ciphertext. The vulnerability resides in evp_cipher_get_asn1_aead_params() (OpenSSL 3.6.0 shown below as a reference ). int evp_cipher_get_asn1_aead_params ( EVP_CIPHER_CTX * c , ASN1_TYPE * type , evp_cipher_aead_asn1_params * asn1_params ) { int i = 0 ; long tl ; unsigned char iv [ EVP_MAX_IV_LENGTH ] ; if ( type == NULL || asn1_params == NULL ) return 0 ; i = ossl_asn1_type_get_octetstring_int ( type , & tl , NULL , EVP_MAX_IV_LENGTH ) ; if ( i <= 0 ) return - 1 ; ossl_asn1_type_get_octetstring_int ( type , & tl , iv , i ) ; memcpy ( asn1_params -> iv , iv , i ) ; asn1_params -> iv_len = i ; return i ; } The function first calls ossl_asn1_type_get_octetstring_int() to read the ASN.1 octet string length and then uses that returned length as the maximum for a second call that copies into iv[EVP_MAX_IV_LENGTH] . The helper returns the full length even when it exceeds EVP_MAX_IV_LENGTH , so the second call can copy more than the fixed-size stack buffer can hold. Because this occurs before authentication, a crafted CMS message can crash the process without requiring any valid cryptographic material. The attacker controls both the length and the content copied into the stack buffer, which is why this is the highest-risk of the two vulnerabilities covered in this article. A denial of service condition can be demonstrated with a specially crafted PEM file: nick@test-cattle:/tmp$ openssl version OpenSSL 3.0 .2 15 Mar 2022 ( Libra...