Key Takeaways:
- OpenSSL patched 12 vulnerabilities on January 27, 2026, including one high-severity flaw that could lead to remote code execution.
- The most serious issue, CVE-2025-15467, affects CMS AuthEnvelopedData parsing with AEAD ciphers like AES-GCM, and could lead to crashes or potential remote code execution.
- Other vulnerabilities include stack overflows, null dereferences, and out-of-bounds writes, primarily affecting PKCS#12 and CMS parsing.
- The vulnerabilities affect various versions of OpenSSL, from 3.6 to 1.0.2, and users are advised to upgrade immediately to prevent denial-of-service attacks or worse.
Introduction to OpenSSL Vulnerabilities
OpenSSL, a widely used open-source cryptographic library, patched 12 vulnerabilities on January 27, 2026, including one high-severity flaw that could lead to remote code execution. The vulnerabilities, which affect various versions of OpenSSL, from 3.6 to 1.0.2, primarily cause denial-of-service attacks but highlight the risks of parsing untrusted data. The most serious issue, CVE-2025-15467, affects CMS AuthEnvelopedData parsing with AEAD ciphers like AES-GCM, and could lead to crashes or potential remote code execution on applications handling untrusted CMS or PKCS#7 data.
High-Severity Vulnerability: CVE-2025-15467
The high-severity vulnerability, CVE-2025-15467, is particularly concerning as it allows attackers to craft oversized IVs in ASN.1 parameters, causing stack overflows before authentication checks. This could lead to crashes or potential remote code execution on applications handling untrusted CMS or PKCS#7 data, such as S/MIME. The vulnerability is considered high-severity because it can be exploited without requiring a key, and the stack write primitive poses a severe danger. OpenSSL rated this vulnerability as High severity, and users are advised to patch immediately to prevent remote code execution.
Other Vulnerabilities
In addition to the high-severity vulnerability, several other issues were patched, including CVE-2025-11187, which involves improper PBMAC1 validation in PKCS#12 files, leading to stack overflows or null dereferences. Other vulnerabilities include CVE-2025-69419, CVE-2025-69421, and CVE-2026-22795, which affect PKCS#12 handling and cause out-of-bounds writes or null dereferences. These vulnerabilities, while not as severe as CVE-2025-15467, still pose a risk to applications parsing untrusted data and should be patched to prevent denial-of-service attacks.
Affected Versions and Patching
The vulnerabilities affect various versions of OpenSSL, from 3.6 to 1.0.2, excluding older branches without features like PBMAC1 or QUIC. FIPS modules are not affected as the vulnerable code sits outside their boundaries. Users are advised to upgrade to the latest version of OpenSSL, such as 3.6.1, 3.5.5, or 3.4.4, to patch the vulnerabilities. It is also recommended to avoid untrusted PKCS#12/CMS inputs, validate file sizes, and set SSL_OP_NO_RX_CERTIFICATE_COMPRESSION for TLS 1.3 compression.
Mitigation Steps and Conclusion
To mitigate the risks associated with these vulnerabilities, users should upgrade to the latest version of OpenSSL immediately. Additionally, users should avoid untrusted PKCS#12/CMS inputs, validate file sizes, and set SSL_OP_NO_RX_CERTIFICATE_COMPRESSION for TLS 1.3 compression. Servers parsing S/MIME or timestamps should patch first due to remote risks. OpenSSL powers web servers, VPNs, and crypto tools worldwide, and quick updates can prevent denial-of-service attacks or worse in production. By following these mitigation steps and staying informed about the latest cybersecurity updates, users can protect themselves from the risks associated with these vulnerabilities.