CVE-2025-15467

CVE-2025-15467 is a stack buffer overflow vulnerability in OpenSSL's CMS parser. When processing CMS AuthEnvelopedData or EnvelopedData structures that use AEAD ciphers such as AES-GCM, the Initialization Vector (IV) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying its length against the destination buffer size. This allows an oversized IV in a crafted message to cause an out-of-bounds stack write before any authentication or tag verification. The vulnerability affects OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6; OpenSSL 1.1.1 and 1.0.2 are not affected, nor are the FIPS modules in the vulnerable versions, as the CMS implementation falls outside the FIPS module boundary.

Any unauthenticated attacker can exploit this issue by supplying a maliciously crafted CMS or PKCS#7 message to applications or services that parse untrusted content using AEAD ciphers, such as S/MIME AuthEnvelopedData with AES-GCM. No valid key material is required, as the overflow occurs prior to authentication checks. Exploitation requires user interaction (UI:R) but has network accessibility (AV:N), low attack complexity (AC:L), and no privileges (PR:N). Successful exploitation reliably causes a crash for denial of service and may enable remote code execution depending on platform and toolchain mitigations like stack canaries or ASLR, with a CVSS v3.1 base score of 8.8 (C:H/I:H/A:H) and CWE-787 (Out-of-bounds Write).

OpenSSL has addressed this vulnerability through patches committed to their repository, including commits 2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703, 5f26d4202f5b89664c5c3f3c62086276026ba9a9, 6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3, ce39170276daec87f55c39dad1f629b56344429e, and d0071a0799f20cc8101730145349ed4487c268dc. Security practitioners should update affected OpenSSL deployments to incorporate these fixes and audit applications handling untrusted CMS/PKCS#7 content for exposure.