Stack Buffer Overflow in OpenSSL PKCS#12 File Handling
CVE-2025-11187

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
27 January 2026

What is CVE-2025-11187?

The OpenSSL library exposes a vulnerability in the handling of PBMAC1 parameters within PKCS#12 files due to missing validation. This flaw may lead to a stack-based buffer overflow, which could result in application crashes or, in certain cases, potentially allow malicious code execution. The issue arises when parameters such as PBKDF2 salt and keylength are processed without proper checks. If the keylength exceeds 64 bytes, the buffer will overflow, leading to undefined behavior. Furthermore, if the salt is incorrectly formatted, it can result in invalid pointer dereferences. Exploiting this vulnerability necessitates an application or user to process a maliciously crafted PKCS#12 file, emphasizing the importance of safeguarding against untrusted data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OpenSSL 3.6.0 < 3.6.1

OpenSSL 3.5.0 < 3.5.5

OpenSSL 3.4.0 < 3.4.4

References

https://openssl-library.org/news/secadv/20260127.txt
vendor-advisory
https://github.com/openssl/openssl/commit/8caf359d6e46fb4...
patch
https://github.com/openssl/openssl/commit/e1079bc17ed93ff...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Fort (Aisle Research)
Petr Ĺ imeÄŤek (Aisle Research)
Hamza (Metadust)
Tomáš Mráz
JSON
.