Critical OpenSSL Stack Buffer Overflow in CMS Parsing Poses Remote Code Execution Risk
A critical stack buffer overflow vulnerability in OpenSSL's CMS AuthEnvelopedData parsing, tracked as CVE-2025-15467, carries a CVSS score of 9.8 and could allow remote code execution.
A critical vulnerability in OpenSSL, designated CVE-2025-15467, has been disclosed with a CVSS score of 9.8, affecting versions 3.0 through 3.6. The flaw resides in the parsing of CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM. According to the advisory from Fortinet PSIRT, the issue is a stack buffer overflow triggered by a crafted ASN.1 IV parameter that exceeds the fixed-size stack buffer, leading to an out-of-bounds write before any authentication occurs.
The vulnerability can be exploited by an attacker supplying a maliciously crafted CMS or PKCS#7 message. Because the overflow happens prior to authentication, no valid cryptographic key material is required to trigger it. This makes the flaw particularly dangerous for applications and services that parse untrusted CMS content, such as S/MIME email clients handling AuthEnvelopedData with AES-GCM. The advisory notes that while the primary impact may be a denial of service via crash, the stack-based write primitive could potentially be leveraged for remote code execution, depending on platform and toolchain mitigations.
OpenSSL versions 3.0, 3.3, 3.4, 3.5, and 3.6 are all vulnerable. The FIPS modules for these versions are not affected, as the CMS implementation lies outside the OpenSSL FIPS module boundary. Older versions 1.1.1 and 1.0.2 are also not vulnerable. The advisory was revised on March 13, 2026, but no patch has been released yet, leaving users reliant on mitigations such as restricting access to CMS parsing functionality or avoiding untrusted content.
The disclosure comes from Fortinet PSIRT, which published the advisory on January 30, 2026. The vulnerability highlights the ongoing risk in cryptographic libraries that handle complex ASN.1 structures. Given the widespread use of OpenSSL in web servers, email systems, and VPN appliances, the potential for exploitation is significant. Security teams are advised to monitor for updates from the OpenSSL project and apply patches as soon as they become available.
This vulnerability adds to a growing list of critical flaws in foundational software libraries. The stack buffer overflow nature of CVE-2025-15467 is reminiscent of past OpenSSL issues like Heartbleed, though the exploitation vector differs. Organizations should prioritize inventorying their use of OpenSSL and ensuring that CMS parsing is not exposed to untrusted input without additional safeguards.