Memory Under Siege: OpenSSL Releases Urgent Patches for Critical Buffer Overflows

The OpenSSL team has disseminated a comprehensive security advisory detailing a constellation of vulnerabilities afflicting the ubiquitous cryptographic library. The update, dated January 27, 2026, delineates a spectrum of issues varying in severity, ranging from perilous buffer overflows to errors precipitating application failures. While certain flaws may be utilized for remote code execution and others incite denial of service, all demand the immediate and urgent attention of administrators and developers alike.

Deemed the most critical is vulnerability CVE-2025-15467, linked to a stack buffer overflow during the parsing of CMS AuthEnvelopedData. The error manifests during the processing of messages utilizing AEAD ciphers, such as AES-GCM, wherein a malicious actor transmits a specially crafted, enlarged initialization vector. This precipitates an out-of-bounds memory write prior to message authentication, potentially culminating in either a denial of service or arbitrary code execution, contingent upon the platform.

Particular emphasis is placed on CVE-2025-11187, a defect within the PKCS#12 file verification mechanism employing PBMAC1. Incorrect parameters may trigger a stack buffer overflow and references to invalid pointers. This results in application crashes and could theoretically establish conditions ripe for exploitation. Although such files are typically regarded as trusted, the developers have nonetheless classified the risk as significant.

The bulletin also enumerates a litany of vulnerabilities of low to moderate severity. Among these are an error in the “openssl dgst” utility (CVE-2025-15469), whereby data exceeding 16 MB is silently truncated during signing; a memory exhaustion issue in TLS 1.3 involving compressed certificates (CVE-2025-66199); as well as vulnerabilities involving out-of-bounds reads and NULL pointer dereferences across various components. These include CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2025-15468, and nascent issues in PKCS#12 and PKCS#7 parsing, registered as CVE-2026-22795 and CVE-2026-22796.

According to the developers, these vulnerabilities afflict various OpenSSL branches, including versions 3.6, 3.5, 3.4, 3.3, and 3.0, depending on the specific error. Patches have already been released, and users are exhorted to upgrade to current releases—such as OpenSSL 3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19—with all due haste. For certain deprecated branches, updates are available within the framework of paid support.

The publication of this bulletin underscores once again the complexity and fragility inherent in cryptographic infrastructure, even within mature and widely utilized projects. For enterprises and developers, this serves as a poignant reminder of the necessity for regular updates and vigilant version control, particularly for systems interacting with external certificates, PKCS#12 containers, and cryptographic messages.