CVE-2025-15467
Published: 27 January 2026
Summary
CVE-2025-15467 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Openssl Openssl. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of flaws like the stack buffer overflow in vulnerable OpenSSL versions by applying patches such as those committed for CVE-2025-15467.
SI-10 mandates validation of inputs like CMS AuthEnvelopedData ASN.1 parameters to reject oversized IVs before copying into fixed-size stack buffers.
SI-16 implements memory protections such as stack canaries and ASLR to mitigate exploitation of the stack buffer overflow for remote code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in OpenSSL CMS parser enables remote exploitation of client applications parsing untrusted content (e.g., S/MIME) for code execution (T1203) and reliable crashes for denial of service (T1499.004), with AV:N/AC:L/PR:N/UI:R.
NVD Description
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When…
more
parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Deeper analysisAI
CVE-2025-15467 is a stack buffer overflow vulnerability in OpenSSL's CMS parser. When processing CMS AuthEnvelopedData or EnvelopedData structures that use AEAD ciphers such as AES-GCM, the Initialization Vector (IV) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying its length against the destination buffer size. This allows an oversized IV in a crafted message to cause an out-of-bounds stack write before any authentication or tag verification. The vulnerability affects OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6; OpenSSL 1.1.1 and 1.0.2 are not affected, nor are the FIPS modules in the vulnerable versions, as the CMS implementation falls outside the FIPS module boundary.
Any unauthenticated attacker can exploit this issue by supplying a maliciously crafted CMS or PKCS#7 message to applications or services that parse untrusted content using AEAD ciphers, such as S/MIME AuthEnvelopedData with AES-GCM. No valid key material is required, as the overflow occurs prior to authentication checks. Exploitation requires user interaction (UI:R) but has network accessibility (AV:N), low attack complexity (AC:L), and no privileges (PR:N). Successful exploitation reliably causes a crash for denial of service and may enable remote code execution depending on platform and toolchain mitigations like stack canaries or ASLR, with a CVSS v3.1 base score of 8.8 (C:H/I:H/A:H) and CWE-787 (Out-of-bounds Write).
OpenSSL has addressed this vulnerability through patches committed to their repository, including commits 2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703, 5f26d4202f5b89664c5c3f3c62086276026ba9a9, 6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3, ce39170276daec87f55c39dad1f629b56344429e, and d0071a0799f20cc8101730145349ed4487c268dc. Security practitioners should update affected OpenSSL deployments to incorporate these fixes and audit applications handling untrusted CMS/PKCS#7 content for exposure.
Details
- CWE(s)