OpenSSL Security Advisory for CMS and PKCS#12 Buffer Overflows
OpenSSL issued a corrected security advisory for its January 2026 update, adding CVE-2026-22795 and CVE-2026-22796 to the bulletin. The issues are described as buffer overflows affecting OpenSSL’s handling of CMS and PKCS#12, which can be triggered via crafted cryptographic inputs and may lead to memory corruption and potential exploitation depending on how vulnerable code paths are reached in consuming applications.
A technical write-up of the same OpenSSL update highlights the CMS and PKCS#12 parsing risk and reinforces the need for rapid patching across environments that ingest untrusted certificates, signed messages, or PKCS#12 bundles (common in enterprise identity and certificate workflows). Other items in the set are unrelated (Firefox WebRTC RCE, Kubernetes authorization-to-RCE technique, a separate vulnerability-chain case study, operational security guidance, and non-OpenSSL security news) and should not be conflated with the OpenSSL advisory.
Timeline
Jan 28, 2026
OpenSSL corrects advisory to add CVE-2026-22795 and CVE-2026-22796
A corrected OpenSSL security advisory added the identifiers CVE-2026-22795 and CVE-2026-22796. The available reference does not provide further technical details or remediation information.
Jan 27, 2026
OpenSSL issues January 2026 security update for CMS and PKCS#12 flaws
OpenSSL released or announced a January 2026 security update addressing buffer overflow vulnerabilities in CMS- and PKCS#12-related code, as referenced by security community posts linking to further analysis.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
OpenSSL January Security Update Fixes CMS and PKCS#12 Stack Overflows With RCE Risk
**OpenSSL released a security update on January 27, 2026**, addressing **12 vulnerabilities** across supported branches, including **one High-severity issue with potential remote code execution (RCE)**, one Moderate, and multiple Low-severity flaws. The most serious vulnerability, **CVE-2025-15467 (High)**, is a **pre-authentication stack buffer overflow** in **CMS `AuthEnvelopedData` parsing** when using AEAD ciphers (e.g., **AES-GCM**); a crafted CMS message with an **oversized IV in ASN.1 parameters** can trigger a crash and may enable code execution in applications that parse **untrusted CMS/PKCS#7 content** (notably **S/MIME** workflows). Both sources emphasize that while **DoS is the most likely outcome in many environments**, the presence of a stack write primitive makes the issue operationally significant where untrusted CMS is processed. A second notable issue, **CVE-2025-11187 (Moderate)**, involves a **stack overflow during PKCS#12 MAC verification** (PBMAC1/PBKDF2-related validation), where attacker-controlled parameters (e.g., key length) can lead to crashes and potentially more severe impact when processing **untrusted PKCS#12 files** (e.g., certificate import/export, PKI/CA tooling). Affected versions called out include **OpenSSL 3.x** (with additional low-severity issues spanning older branches such as **1.0.2 and 1.1.1**), and patched releases include **3.6.1, 3.5.5, 3.4.4, 3.3.6, and 3.0.19** (with corresponding fixes for older maintained lines). Datadog notes **OpenSSL 3.x FIPS modules are not affected** by the highlighted CMS and PKCS#12 overflow issues, and both sources point to higher risk in services that ingest these formats from external or user-supplied inputs (e.g., S/MIME gateways, certificate management services).
1 months ago
OpenSSL Releases Patch Multiple CVEs Across Supported Branches
The OpenSSL Project released updated versions across multiple supported branches to fix a set of security flaws in the SSL/TLS toolkit, with **OpenSSL 3.6.2** carrying the broadest set of patches. The updates address issues including incorrect failure handling in RSA KEM `RSASVE` encapsulation, an out-of-bounds read in `AES-CFB-128` on x86-64 systems with `AVX-512` support, a potential use-after-free in DANE client code, several `NULL` pointer dereference bugs, and a heap buffer overflow in hexadecimal conversion. OpenSSL said the most severe issue in the release was rated **Moderate**. Additional releases — **3.5.6, 3.4.5, 3.3.7, 3.0.20, 1.1.1zg, and 1.0.2zp** — also shipped with security fixes and minor bug corrections, though older branches received smaller subsets of the patches. The 3.6.2 release also repaired two regressions introduced in 3.6.0 affecting `X509_V_FLAG_CRL_CHECK_ALL` behavior and stapled OCSP response handling that could trigger handshake failures. Administrators running **OpenSSL 3.6.x** on x86-64 systems with `AVX-512` enabled were specifically urged to prioritize the `AES-CFB-128` fix because of memory-read exposure.
3 weeks ago
rust-openssl Flaws Enable Memory Disclosure and Buffer Overwrite
Two high-severity vulnerabilities were disclosed in **rust-openssl**, the Rust bindings for OpenSSL, affecting multiple `0.9.x` and `0.10.x` releases prior to **`0.10.78`**. **`CVE-2026-41898`** affects versions from `0.9.24` up to, but not including, `0.10.78`, where several FFI trampoline callback paths passed a closure-returned `usize` to OpenSSL without validating it against the output buffer size. The flaw can trigger buffer overflows and leak adjacent memory to a network peer, and it is mapped to **`CWE-126`** and **`CWE-130`**. A second issue, **`CVE-2026-41681`**, affects versions from `0.10.39` up to, but not including, `0.10.78`, in `MdCtxRef::digest_final()`, which writes `EVP_MD_CTX_size(ctx)` bytes to the caller buffer without checking whether the buffer is large enough. The resulting out-of-bounds write can cause stack corruption and is reachable from safe Rust, with the weakness classified as **`CWE-121`**. Both vulnerabilities were addressed in **`rust-openssl 0.10.78`**, with public advisories, code references, and fix details released alongside the CVE records.
1 weeks ago