OpenSSL January Security Update Fixes CMS and PKCS#12 Stack Overflows With RCE Risk
OpenSSL released a security update on January 27, 2026, addressing 12 vulnerabilities across supported branches, including one High-severity issue with potential remote code execution (RCE), one Moderate, and multiple Low-severity flaws. The most serious vulnerability, CVE-2025-15467 (High), is a pre-authentication stack buffer overflow in CMS AuthEnvelopedData parsing when using AEAD ciphers (e.g., AES-GCM); a crafted CMS message with an oversized IV in ASN.1 parameters can trigger a crash and may enable code execution in applications that parse untrusted CMS/PKCS#7 content (notably S/MIME workflows). Both sources emphasize that while DoS is the most likely outcome in many environments, the presence of a stack write primitive makes the issue operationally significant where untrusted CMS is processed.
A second notable issue, CVE-2025-11187 (Moderate), involves a stack overflow during PKCS#12 MAC verification (PBMAC1/PBKDF2-related validation), where attacker-controlled parameters (e.g., key length) can lead to crashes and potentially more severe impact when processing untrusted PKCS#12 files (e.g., certificate import/export, PKI/CA tooling). Affected versions called out include OpenSSL 3.x (with additional low-severity issues spanning older branches such as 1.0.2 and 1.1.1), and patched releases include 3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19 (with corresponding fixes for older maintained lines). Datadog notes OpenSSL 3.x FIPS modules are not affected by the highlighted CMS and PKCS#12 overflow issues, and both sources point to higher risk in services that ingest these formats from external or user-supplied inputs (e.g., S/MIME gateways, certificate management services).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Aisle discovers 12 OpenSSL vulnerabilities
Cybersecurity firm Aisle identified 12 previously undetected vulnerabilities in OpenSSL, including CVE-2025-15467 and CVE-2025-11187. One source says some of the flaws may have existed in the codebase since 1998.
OpenSSL releases patched versions for affected branches
OpenSSL released fixes for the 12 vulnerabilities and recommended upgrading to patched versions including 3.6.1, 3.5.5, 3.4.4, 3.3.6, 3.0.19, and premium 1.1.1ze and 1.0.2zn. The project also advised limiting exposure to untrusted CMS and PKCS#12 inputs because exploitability depends on whether applications parse such data.
OpenSSL publishes January 2026 security advisory for 12 flaws
On January 27, 2026, the OpenSSL project disclosed details for 12 vulnerabilities affecting versions 1.0.2, 1.1.1, and multiple 3.x releases. The advisory highlighted high-severity CVE-2025-15467 in CMS AuthEnvelopedData parsing, moderate-severity CVE-2025-11187 in PKCS#12 PBMAC1 validation, and 10 low-severity issues.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
OpenSSL patches 12 vulnerabilities, including high-severity RCE flaw | SC Media
scworld.com
Open sourceAI-assisted cybersecurity team discovers 12 OpenSSL vulnerabilities, claims humans are the limiting factor - some vulnerabilities have been around for decades | Tom's Hardware
tomshardware.com
Open sourceOpenSSL issued security updates to fix 12 flaws, including Remote Code Execution
securityaffairs.com
Open sourceOpenSSL Vulnerabilities Allow Remote Attackers to Execute Malicious Code
cybersecuritynews.com
Open sourceOpenSSL January 2026 Security Update: CMS and PKCS#12 Buffer Overflows | Datadog Security Labs
securitylabs.datadoghq.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenSSL Security Advisory for CMS and PKCS#12 Buffer Overflows
OpenSSL issued a **corrected security advisory** for its January 2026 update, adding **CVE-2026-22795** and **CVE-2026-22796** to the bulletin. The issues are described as **buffer overflows** affecting OpenSSL’s handling of **CMS** and **PKCS#12**, which can be triggered via crafted cryptographic inputs and may lead to memory corruption and potential exploitation depending on how vulnerable code paths are reached in consuming applications. A technical write-up of the same OpenSSL update highlights the CMS and PKCS#12 parsing risk and reinforces the need for rapid patching across environments that ingest untrusted certificates, signed messages, or PKCS#12 bundles (common in enterprise identity and certificate workflows). Other items in the set are unrelated (Firefox WebRTC RCE, Kubernetes authorization-to-RCE technique, a separate vulnerability-chain case study, operational security guidance, and non-OpenSSL security news) and should not be conflated with the OpenSSL advisory.
Mar 21, 2026
OpenSSL fixes high-severity PKCS#7 use-after-free and broad library flaws
OpenSSL disclosed a broad set of vulnerabilities affecting ASN.1 parsing, PKCS#12, CMS/PKCS#7, QUIC, OCSP, CMP/CRMF, DH key validation, AEAD cipher handling, and certificate and email validation across the 4.0, 3.6, 3.5, 3.4, and 3.0 branches. The most severe issue, **CVE-2026-45447**, is a high-severity heap use-after-free in `PKCS7_verify()` that can be triggered by specially crafted PKCS#7 or S/MIME signed messages and could lead to crashes, heap corruption, or potentially remote code execution. The advisory also details moderate-severity flaws that could enable forged CMS `AuthEnvelopedData` messages, denial-of-service conditions in QUIC and OCSP processing, a TLS client double-free via OCSP stapling, a QUIC server `NULL` dereference, and cryptographic failures in AES-OCB when applications use the `EVP_Cipher()` one-shot API, alongside numerous lower-severity parsing, validation, and bounds-checking bugs. OpenSSL said most issues were fixed in **4.0.1**, **3.6.3**, **3.5.7**, **3.4.6**, and **3.0.21**, with **1.1.1zh** and **1.0.2zq** issued for supported legacy customers; most flaws were reported as outside the OpenSSL FIPS module boundary, except **CVE-2026-42770**, which affects FIPS modules in multiple supported branches.
Jun 10, 2026
OpenSSL Releases Patch Multiple CVEs Across Supported Branches
The OpenSSL Project released updated versions across multiple supported branches to fix a set of security flaws in the SSL/TLS toolkit, with **OpenSSL 3.6.2** carrying the broadest set of patches. The updates address issues including incorrect failure handling in RSA KEM `RSASVE` encapsulation, an out-of-bounds read in `AES-CFB-128` on x86-64 systems with `AVX-512` support, a potential use-after-free in DANE client code, several `NULL` pointer dereference bugs, and a heap buffer overflow in hexadecimal conversion. OpenSSL said the most severe issue in the release was rated **Moderate**. Additional releases — **3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg, and 1.0.2zp** — also shipped with security fixes and minor bug corrections, though older branches received smaller subsets of the patches. The 3.6.2 release also repaired two regressions introduced in 3.6.0 affecting `X509_V_FLAG_CRL_CHECK_ALL` behavior and stapled OCSP response handling that could trigger handshake failures. Administrators running **OpenSSL 3.6.x** on x86-64 systems with `AVX-512` enabled were specifically urged to prioritize the `AES-CFB-128` fix because of memory-read exposure.
May 7, 2026