DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-15467: OpenSSL CMS Stack Overflow: The 16-Byte Coffin

#security #cve #cybersecurity

OpenSSL CMS Stack Overflow: The 16-Byte Coffin

Vulnerability ID: CVE-2025-15467
CVSS Score: 9.8
Published: 2026-01-27

A high-severity stack-based buffer overflow in OpenSSL's CMS implementation allows unauthenticated remote attackers to crash applications or potentially execute arbitrary code. The vulnerability stems from a logic error in parsing ASN.1 AEAD parameters, where an unchecked length value leads to a catastrophic write past a fixed 16-byte stack buffer.

TL;DR

OpenSSL versions 3.0 through 3.6 contain a stack overflow in the CMS module. Parsing a malicious 'AuthEnvelopedData' structure with an oversized initialization vector (IV) smashes the stack before signature verification occurs. This allows unauthenticated DoS or RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-787 (Out-of-bounds Write)
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (Pre-Auth)
  • Impact: DoS / RCE
  • EPSS Score: 0.12%
  • Vulnerable Component: crypto/evp/evp_lib.c

Affected Systems

  • Email Gateways (S/MIME parsers)
  • MDM Solutions (EST/CMP protocols)
  • Web Servers handling client certificates or CMS
  • Any application linking OpenSSL 3.x and parsing CMS
  • OpenSSL: 3.6.0 (Fixed in: 3.6.1)
  • OpenSSL: 3.5.0 - 3.5.4 (Fixed in: 3.5.5)
  • OpenSSL: 3.4.0 - 3.4.3 (Fixed in: 3.4.4)
  • OpenSSL: 3.3.0 - 3.3.5 (Fixed in: 3.3.6)
  • OpenSSL: 3.0.0 - 3.0.18 (Fixed in: 3.0.19)

Code Analysis

Commit: Full ha

Fix provided by Igor Ustinov to add bounds checking to evp_cipher_get_asn1_aead_params

Exploit Details

Mitigation Strategies

  • Upgrade OpenSSL libraries immediately.
  • Enable compiler mitigations (Stack Canaries, ASLR, DEP) if compiling from source.
  • Filter CMS/S-MIME content at the network edge if patching is delayed.

Remediation Steps:

  1. Identify all instances of OpenSSL 3.x in your environment (check shared libraries).
  2. Download the latest patch release for your specific version branch.
  3. Recompile and redeploy applications linking statically against OpenSSL.
  4. Restart services linking dynamically to libcrypto/libssl.

References

Read the full report for CVE-2025-15467 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)