Cyber Resilience

CVE-2025-15467

HighPublic PoCUpdated

Published: 27 January 2026

Published
27 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4585 98.7th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2025-15467 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Openssl Openssl. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15467 is a stack buffer overflow in OpenSSL that occurs when parsing CMS AuthEnvelopedData or EnvelopedData structures containing AEAD ciphers such as AES-GCM. The flaw arises because the ASN.1-encoded IV from the message parameters is copied into a fixed-size stack buffer without length validation, and the write happens before any authentication or tag check. OpenSSL versions 3.0 through 3.6 are affected, while the FIPS modules in those releases, as well as OpenSSL 1.1.1 and 1.0.2, are not.

An unauthenticated remote attacker can supply a malicious CMS or PKCS#7 message, for example via S/MIME, to any application or service that processes untrusted CMS content with AEAD ciphers. The oversized IV triggers an out-of-bounds stack write that may cause a crash resulting in denial of service or, depending on platform mitigations, remote code execution; no valid key material is required to reach the vulnerable code path.

The referenced OpenSSL commits implement bounds checking on the IV length during CMS parameter parsing, and upgrading to a patched version of the library is the indicated remediation. The associated EPSS score has remained flat at a low value of 0.0289 with no material increase after disclosure.

EU & UK References

Vulnerability details

Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When…

more

parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Stack buffer overflow in OpenSSL CMS parser enables remote exploitation of client applications parsing untrusted content (e.g., S/MIME) for code execution (T1203) and reliable crashes for denial of service (T1499.004), with AV:N/AC:L/PR:N/UI:R.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31789Same product: Openssl Openssl
CVE-2025-69419Same product: Openssl Openssl
CVE-2026-28390Same product: Openssl Openssl
CVE-2026-28389Same product: Openssl Openssl
CVE-2026-28386Same product: Openssl Openssl
CVE-2026-28387Same product: Openssl Openssl
CVE-2025-69421Same product: Openssl Openssl
CVE-2025-69420Same product: Openssl Openssl
CVE-2026-28388Same product: Openssl Openssl
CVE-2026-31790Same product: Openssl Openssl

Affected Assets

openssl
openssl
3.0.0 — 3.0.19 · 3.1.0 — 3.3.6 · 3.4.0 — 3.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of patches that implement the IV length bounds check in CMS (Auth)EnvelopedData parsing, eliminating the vulnerable code path in OpenSSL 3.0-3.6.

prevent

Mandates validation of all untrusted input (here the ASN.1-encoded AEAD IV length) before any copy or processing occurs, blocking the oversized-IV stack write.

prevent

Requires memory-protection mechanisms that can detect or block out-of-bounds stack writes, limiting exploitability of the buffer overflow to DoS rather than RCE.

References