Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the
PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash
which leads to Denial of Service for an application processing PKCS#12 files. The
PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before
dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter
can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to
achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a
malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low
severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected
by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6,
3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. (CVE-2025-69421)
- Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based
buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The
stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an
application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code
execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC,
the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of
keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key
derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt
parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting
this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to
accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are
trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in
3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module
boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not
affected by this issue as they do not support PBMAC1 in PKCS#12. (CVE-2025-11187)
- Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD
parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a
crash, causing Denial of Service, or potentially remote code execution. When parsing CMS
(Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector)
encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length
fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-
based out-of-bounds write before any authentication or tag verification occurs. Applications and services
that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-
GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is
required to trigger it. While exploitability to remote code execution depends on platform and toolchain
mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4,
3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not
affected by this issue. (CVE-2025-15467)
- Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server
receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer
dereference leads to abnormal termination of the running process causing Denial of Service. Some
applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the
peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will
happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function
in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed
as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC
protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC
implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable
to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. (CVE-2025-15468)
- Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-
shot signing algorithms and reports success instead of an error. Impact summary: A user signing or
verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe
the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the
'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-
DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit,
the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what
the documentation states. This creates an integrity gap where trailing bytes can be modified without
detection if both signing and verification are performed using the same affected codepath. The issue
affects only the command-line tool behavior. Verifiers that process the full message using library APIs
will reject the signature, so the risk primarily affects workflows that both sign and verify with the
affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are
unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are
outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4,
3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue. (CVE-2025-15469)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
Exploit Ease: Exploits are available
Reference Information
CVE: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796