CVE-2025-15467
Published: 27 January 2026
Summary
CVE-2025-15467 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Openssl Openssl. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-15467 is a stack buffer overflow in OpenSSL that occurs when parsing CMS AuthEnvelopedData or EnvelopedData structures containing AEAD ciphers such as AES-GCM. The flaw arises because the ASN.1-encoded IV from the message parameters is copied into a fixed-size stack buffer without length validation, and the write happens before any authentication or tag check. OpenSSL versions 3.0 through 3.6 are affected, while the FIPS modules in those releases, as well as OpenSSL 1.1.1 and 1.0.2, are not.
An unauthenticated remote attacker can supply a malicious CMS or PKCS#7 message, for example via S/MIME, to any application or service that processes untrusted CMS content with AEAD ciphers. The oversized IV triggers an out-of-bounds stack write that may cause a crash resulting in denial of service or, depending on platform mitigations, remote code execution; no valid key material is required to reach the vulnerable code path.
The referenced OpenSSL commits implement bounds checking on the IV length during CMS parameter parsing, and upgrading to a patched version of the library is the indicated remediation. The associated EPSS score has remained flat at a low value of 0.0289 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206379
Vulnerability details
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When…
more
parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in OpenSSL CMS parser enables remote exploitation of client applications parsing untrusted content (e.g., S/MIME) for code execution (T1203) and reliable crashes for denial of service (T1499.004), with AV:N/AC:L/PR:N/UI:R.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of patches that implement the IV length bounds check in CMS (Auth)EnvelopedData parsing, eliminating the vulnerable code path in OpenSSL 3.0-3.6.
Mandates validation of all untrusted input (here the ASN.1-encoded AEAD IV length) before any copy or processing occurs, blocking the oversized-IV stack write.
Requires memory-protection mechanisms that can detect or block out-of-bounds stack writes, limiting exploitability of the buffer overflow to DoS rather than RCE.