English
EN
Français
FR
Language
English
EN
Français
FR

CVE Vulnerabilities

Posts & Pages

No results found for ""

Try different keywords or check spelling

Search in CVE database, posts & pages • Press ESC to close

RHSA-2026:1473 Important

RHSA-2026:1473: openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing

Red Hat Released: January 28, 2026 Updated: February 03, 2026 Restart Required
Official Page

Description

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. A flaw was found in OpenSSL. A remote attacker can exploit a stack buffer overflow vulnerability by supplying a crafted Cryptographic Message Syntax (CMS) message with an oversized Initialization Vector (IV) when parsing AuthEnvelopedData structures that use Authenticated Encryption with Associated Data (AEAD) ciphers such as AES-GCM. This can lead to a crash, causing a Denial of Service (DoS), or potentially allow for remote code execution.

Fixed Vulnerabilities 12

CVE-2025-15467 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow…

CVE-2025-69420 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type,…

CVE-2026-22796 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating…

CVE-2025-66199 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate…

CVE-2025-69419 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a…

CVE-2025-69421 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger…

CVE-2025-68160 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based…

CVE-2026-22795 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed…

CVE-2025-15468 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a…

CVE-2025-69418 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: When using the low-level OCB API directly with AES-NI orother hardware-accelerated code paths, inputs whose length is not a multipleof 16 bytes can…

CVE-2025-15469 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error.…

CVE-2025-11187 N/A 0.0 ⚠️ KEV fixed
Jan 27, 2026

Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC…

Quick Info

Patch ID: RHSA-2026:1473
Vendor: Red Hat
Severity: Important
CVEs Fixed: 12
Restart: Required

Vendor

Red Hat

Additional Info

cwe: CWE-120
type: Security Advisory
rhsa id: RHSA-2026:1473
cvss score: 9.8
mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
cvss vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
rhsa number: 2026:1473

Share