OpenSSL is a security standard that protects most of the internet, and cybersecurity researchers have recently discovered vulnerabilities in the standard that have been lying undetected for decades. The Cybersecurity team at Aisle reported in a blog post that it found 12 CVEs in OpenSSL's codebase and has issued fixes for all 12 CVEs. All of these vulnerabilities were only discovered with the help of AI-powered security tools.
All 12 CVEs include high, moderate, and low-severity variants. CVE-2025-15467 is a Stack Buffer Overflow vulnerability that can enable attackers to execute remote commands under certain conditions. CVE-2025-11187 is a vulnerability that takes advantage of a missing validation that could trigger a stack-based buffer overflow. The former is considered high severity, while the latter is considered moderate.
- All high and moderate Severity CVEs:
- CVE-2025-15467: Stack Buffer Overflow in CMS AuthEnvelopedData Parsing (High): A vulnerability with the potential to enable remote code execution under specific conditions
- CVE-2025-11187: PBMAC1 Parameter Validation in PKCS#12 (Moderate): Missing validation that could trigger a stack-based buffer overflow
- Low Severity CVEs
- CVE-2025-15468: Crash in QUIC protocol cipher handling
- CVE-2025-15469: Silent truncation bug affecting post-quantum signature algorithms (ML-DSA)
- CVE-2025-66199: Memory exhaustion via TLS 1.3 certificate compression
- CVE-2025-68160: Memory corruption in line-buffering (affects code back to OpenSSL 1.0.2)
- CVE-2025-69418: Encryption flaw in OCB mode on hardware-accelerated paths
- CVE-2025-69419: Memory corruption in PKCS#12 character encoding
- CVE-2025-69420: Crash in TimeStamp Response verification
- CVE-2025-69421: Crash in PKCS#12 decryption
- CVE-2026-22795: Crash in PKCS#12 parsing
- CVE-2026-22796: Crash in PKCS#7 signature verification (affects code back to OpenSSL 1.0.2)
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
