Out-of-bounds Write Vulnerability in OpenSSL PKCS#12 Module
CVE-2025-69419

Currently unrated

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
27 January 2026

What is CVE-2025-69419?

A vulnerability in the OpenSSL library allows maliciously crafted PKCS#12 files to trigger an out-of-bounds write when the PKCS12_get_friendlyname() function is called. An attacker can exploit this by using a BMPString (UTF-16BE) friendly name with non-ASCII BMP code points, leading to memory corruption. The flaw originates from incorrect buffer capacity being forwarded during a UTF-8 conversion process, which enables an application to write data outside the allocated heap buffer. This vulnerability affects specific versions of OpenSSL and can potentially disrupt services if exploited.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OpenSSL 3.6.0 < 3.6.1

OpenSSL 3.5.0 < 3.5.5

OpenSSL 3.4.0 < 3.4.4

References

https://openssl-library.org/news/secadv/20260127.txt
vendor-advisory
https://github.com/openssl/openssl/commit/7e9cac9832e4705...
patch
https://github.com/openssl/openssl/commit/ff6289337550754...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stanislav Fort (Aisle Research)
Norbert PĂłcs
JSON
.