Threat Research

OpenSSL January 2026 Security Update: CMS and PKCS#12 Buffer Overflows | Datadog Security Labs

DataDogHQ
OpenSSL January 2026 Security Update: CMS and PKCS#12 Buffer Overflows | Datadog Security Labs

OpenSSL disclosed a set of vulnerabilities on January 27, 2026, including one high-severity, one moderate-severity, and ten low-severity issues affecting OpenSSL 1.0.2, 1.1.1, and the 3.x series (3.0, 3.3–3.6). The most critical is CVE-2025-15467, a pre-auth stack buffer overflow in CMS AuthEnvelopedData AEAD parsing that can cause crashes and may enable RCE, while CVE-2025-11187 is a PBKDF2-related overflow in PKCS#12 MAC verification that is more likely to cause denial-of-service; mitigations include upgrading affected OpenSSL builds and runtimes and monitoring services that parse untrusted CMS/PKCS#12 inputs. #OpenSSL #CVE-2025-15467

Keypoints

  • OpenSSL published details on vulnerabilities affecting versions 1.0.2, 1.1.1, and 3.x (3.0, 3.3–3.6) on January 27, 2026.
  • The disclosure includes one high-severity (CVE-2025-15467), one moderate-severity (CVE-2025-11187), and ten low-severity issues.
  • CVE-2025-15467 is a pre-auth stack buffer overflow in CMS AuthEnvelopedData AEAD parsing (oversized IV) affecting OpenSSL 3.0, 3.3, 3.4, 3.5, 3.6; FIPS modules for 3.x are not affected.
  • CVE-2025-11187 is a stack buffer overflow in PKCS#12 PBMAC1 MAC verification when PBKDF2-derived key length is attacker-controlled, affecting OpenSSL 3.4, 3.5, 3.6; FIPS modules are not affected.
  • The most realistic real-world impact is denial of service (process crash), though CVE-2025-15467 provides the strongest primitive and could enable RCE under certain build/platform conditions; modern mitigations reduce exploitability.
  • Mitigation steps include upgrading OpenSSL or the runtime that bundles it (e.g., Node.js), avoiding parsing untrusted CMS/PKCS#12 inputs, and monitoring for repeated crashes or anomalous service restarts; Datadog and vendor advisories can help detect and remediate affected assets.

MITRE Techniques

Indicators of Compromise

  • [File names ] Proof-of-concept and sample files used in demonstrations – temp/encDataWithTooLongIV.pem, CVE-2025-11187-keylen-8192.p12, and servercert.pem/serverkey.pem (used as recipient cert/key in PoC commands)

Read more: https://securitylabs.datadoghq.com/articles/openssl-january-2026-security-update-cms-and-pkcs12-buffer-overflows/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint