Input Truncation Issue in OpenSSL Tool Affects Integrity of File Signatures
CVE-2025-15469

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
27 January 2026

What is CVE-2025-15469?

The OpenSSL command-line tool has a significant vulnerability where it truncates input data to 16MB when using one-shot signing algorithms like Ed25519, Ed448, and ML-DSA. This issue leads users to mistakenly believe that files larger than 16MB are fully authenticated when, in reality, any trailing data beyond the 16MB limit remains unauthenticated due to silent truncation. Users may find that their workflows for signing and verifying files introduce an integrity gap because the tool does not report an error as per its documentation. This primarily affects operations that use the affected command-line functionality for both signing and verification, while library API users remain unaffected.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OpenSSL 3.6.0 < 3.6.1

OpenSSL 3.5.0 < 3.5.5

References

https://openssl-library.org/news/secadv/20260127.txt
vendor-advisory
https://github.com/openssl/openssl/commit/310f305eb92ea80...
patch
https://github.com/openssl/openssl/commit/a7936fa4bd23c90...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Fort (Aisle Research)
Viktor Dukhovni
JSON
.