High

On January 27, 2026, OpenSSL released patches addressing 12 security vulnerabilities across versions 1.0.2 to 3.6. The most critical flaw, CVE-2025-15467, involves a stack overflow in CMS AuthEnvelopedData parsing when using AEAD ciphers like AES-GCM. Exploiting this flaw requires no key and can lead to crashes or even remote code execution in applications that process untrusted CMS or PKCS#7 data, such as S/MIME clients. The vulnerability’s impact is heightened due to the stack write primitive, although platform mitigations like ASLR may reduce exploitability.

Other notable vulnerabilities include CVE-2025-11187, which causes stack overflows or null dereferences during PBMAC1 validation in PKCS#12 files when key lengths exceed 64 bytes. Additional low-severity issues, such as CVE-2025-69419, CVE-2025-69421, and CVE-2026-22795, affect PKCS#12 handling, timestamp verification, and PKCS#7 digest processing, potentially leading to out-of-bounds writes or null pointer dereferences. Most of these require crafted inputs, limiting their impact to specific scenarios.

Affected OpenSSL versions span 3.6 through 1.0.2, with fixed releases including 3.6.1, 3.5.5, 3.4.4, 3.3.6, 3.0.19, 1.1.1ze, and 1.0.2zn. FIPS module users remain unaffected since the vulnerable code exists outside the module boundaries. The vulnerabilities were reported by researchers, with patches contributed.

Mitigation recommendations emphasize immediate upgrades to the fixed versions, strict validation of PKCS#12 and CMS file inputs, and avoiding untrusted sources. For TLS 1.3, disabling certificate compression via SSL_OP_NO_RX_CERTIFICATE_COMPRESSION helps prevent DoS attacks. Organizations running web servers, VPNs, or cryptographic tools that rely on OpenSSL should prioritize patching S/MIME, timestamp, and PKCS parsing components to prevent crashes, data corruption, or potential remote code execution.