OpenSSL: 12 security gaps, one allows malicious code execution and is critical

IT researchers have discovered 12 security vulnerabilities in the open-source encryption library OpenSSL, one of which is considered critical. Attackers can use it to inject malicious code, for example. It is also noteworthy that the IT security researchers discovered the vulnerabilities using AI systems.

This is reported by the employees of Aisle in a blog post. A stack-based buffer overflow can occur when processing “CMS AuthEnvelopeData” messages with maliciously crafted AEAD parameters by vulnerable OpenSSL versions. This can potentially lead to a crash and thus a denial-of-service; alternatively, malicious code from the network can also be executed, explains the OpenSSL project in the vulnerability description. The overflow occurs before authentication, so no valid keys or parts thereof are necessary (CVE-2025-15467, CVSS 9.8, risk “critical”). The US IT security authority CISA arrives at the higher risk assessment – the OpenSSL project itself classifies the security vulnerability only as risk “high”.

A second security vulnerability exists in the missing verification of some parameters in PKCS#12 certificate files. Carefully prepared entries can trigger a stack-based buffer overflow or a null pointer dereference with a subsequent crash of the software or potentially execute injected malicious code. Since it is unusual to trust untrusted PKCS#12 files in apps, as they usually contain private keys, the OpenSSL developers classify the vulnerability as moderate (CVE-2025-11187, CVSS 6.1, risk “medium”).

OpenSSL: Many low-risk vulnerabilities

The remaining ten vulnerabilities were classified as low security risks: the security vulnerabilities with vulnerability entries CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795 and CVE-2026-22796 can essentially be exploited by attackers for denial-of-service attacks.

The security vulnerabilities are patched by OpenSSL versions 3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19. Some vulnerabilities classified as low risk also affect older versions; OpenSSL 1.1.1ze and OpenSSL 1.0.2zn are to be provided there for premium support customers. IT managers should install the updates promptly due to the critical security vulnerability.

That the vulnerabilities were discovered using AI tools from Aisle is somewhat surprising. The curl project, for example, has discontinued its bug bounty program because it was flooded with unusable AI vulnerability reports. The effort to investigate the sometimes plausible-sounding reports and ultimately find out that they were hallucinations or simply fabricated vulnerabilities became too much.

(dmk)