CVE-2025-69419

EUVD-2025-206395

27.01.2026, 16:16

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously
crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing
non-ASCII BMP code point can trigger a one byte write before the allocated
buffer.

Impact summary: The out-of-bounds write can cause a memory corruption
which can have various consequences including a Denial of Service.

The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12
BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,
the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16
source byte count as the destination buffer capacity to UTF8_putc(). For BMP
code points above U+07FF, UTF-8 requires three bytes, but the forwarded
capacity can be just two bytes. UTF8_putc() then returns -1, and this negative
value is added to the output length without validation, causing the
length to become negative. The subsequent trailing NUL byte is then written
at a negative offset, causing write outside of heap allocated buffer.

The vulnerability is reachable via the public PKCS12_get_friendlyname() API
when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a
different code path that avoids this issue, PKCS12_get_friendlyname() directly
invokes the vulnerable function. Exploitation requires an attacker to provide
a malicious PKCS#12 file to be parsed by the application and the attacker
can just trigger a one zero byte write before the allocated buffer.
For that reason the issue was assessed as Low severity according to our
Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.4 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Affected Products (NVD)

Vendor	Product	Version
openssl	openssl	1.1.1 ≤ 𝑥 < 1.1.1ze
openssl	openssl	3.0.0 ≤ 𝑥 < 3.0.19
openssl	openssl	3.3.0 ≤ 𝑥 < 3.3.6
openssl	openssl	3.4.0 ≤ 𝑥 < 3.4.4
openssl	openssl	3.5.0 ≤ 𝑥 < 3.5.5
openssl	openssl	3.6.0 ≤ 𝑥 < 3.6.1

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
Siemens	SIMATIC S7-1500 TM MFP - GNU\/Linux subsystem	𝑥 < *	ADP

Debian Releases

Debian Product

Codename

openssl

bookworm	3.0.20-1~deb12u1 fixed
bookworm (security)	3.0.19-1~deb12u2 fixed
bullseye	vulnerable
bullseye (security)	1.1.1w-0+deb11u5 fixed
forky	3.6.2-1 fixed
sid	3.6.2-1 fixed
trixie	3.5.6-1~deb13u1 fixed
trixie (security)	3.5.5-1~deb13u2 fixed

Ubuntu Releases

Ubuntu Product

Codename

openssl

bionic	Fixed 1.1.1-1ubuntu2.1~18.04.23+esm7 released
focal	Fixed 1.1.1f-1ubuntu2.24+esm2 released
jammy	Fixed 3.0.2-0ubuntu1.21 released
noble	Fixed 3.0.13-0ubuntu3.7 released
plucky	ignored
questing	Fixed 3.5.3-1ubuntu3 released
resolute	Fixed 3.5.5-1ubuntu1 released
trusty	not-affected
xenial	not-affected

openssl1.0

bionic	not-affected
jammy	dne
noble	dne
plucky	dne
questing	dne
resolute	dne

nodejs

bionic	needs-triage
focal	not-affected
jammy	needed
noble	not-affected
plucky	not-affected
questing	not-affected
resolute	not-affected
trusty	not-affected
xenial	ignored

edk2

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	ignored
questing	needs-triage
resolute	needs-triage
xenial	ignored

openSUSE / SLES Releases

openSUSE Product

Release

libopenssl-3-devel

suse enterprise desktop 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise server 15 SP4	3.0.8-150400.4.78.1 fixed
suse enterprise server 15 SP5	3.0.8-150500.5.57.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.42.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.24.1 fixed

libopenssl-3-fips-provider

suse enterprise desktop 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.42.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.24.1 fixed

libopenssl-3-fips-provider-32bit

suse enterprise desktop 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.42.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.24.1 fixed

libopenssl3

suse enterprise desktop 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise server 15 SP4	3.0.8-150400.4.78.1 fixed
suse enterprise server 15 SP5	3.0.8-150500.5.57.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.42.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.24.1 fixed

libopenssl3-32bit

suse enterprise desktop 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.42.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.24.1 fixed

openssl-3

suse enterprise desktop 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise sap 15 SP7	3.2.3-150700.5.24.1 fixed
suse enterprise server 15 SP4	3.0.8-150400.4.78.1 fixed
suse enterprise server 15 SP5	3.0.8-150500.5.57.1 fixed
suse enterprise server 15 SP6	3.1.4-150600.5.42.1 fixed
suse enterprise server 15 SP7	3.2.3-150700.5.24.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

compat-openssl11

RHEL 9

1:1.1.1k-5.el9_7.1

fixed

openssl

RHEL 8	1:1.1.1k-15.el8_6 fixed
RHEL 8.2 AUS	1:1.1.1c-21.el8_2.2 fixed
RHEL 8.4 AUS	1:1.1.1g-18.el8_4.2 fixed
RHEL 8.6 AUS	1:1.1.1k-15.el8_6 fixed
RHEL 8.6 E4S	1:1.1.1k-15.el8_6 fixed
RHEL 8.6 TUS	1:1.1.1k-15.el8_6 fixed
RHEL 9	1:3.5.1-7.el9_7 fixed

openssl-devel

RHEL 8	1:1.1.1k-15.el8_6 fixed
RHEL 8.2 AUS	1:1.1.1c-21.el8_2.2 fixed
RHEL 8.4 AUS	1:1.1.1g-18.el8_4.2 fixed
RHEL 8.6 AUS	1:1.1.1k-15.el8_6 fixed
RHEL 8.6 E4S	1:1.1.1k-15.el8_6 fixed
RHEL 8.6 TUS	1:1.1.1k-15.el8_6 fixed
RHEL 9	1:3.5.1-7.el9_7 fixed

openssl-libs

RHEL 8	1:1.1.1k-15.el8_6 fixed
RHEL 8.2 AUS	1:1.1.1c-21.el8_2.2 fixed
RHEL 8.4 AUS	1:1.1.1g-18.el8_4.2 fixed
RHEL 8.6 AUS	1:1.1.1k-15.el8_6 fixed
RHEL 8.6 E4S	1:1.1.1k-15.el8_6 fixed
RHEL 8.6 TUS	1:1.1.1k-15.el8_6 fixed
RHEL 9	1:3.5.1-7.el9_7 fixed

openssl-perl

RHEL 8	1:1.1.1k-15.el8_6 fixed
RHEL 8.2 AUS	1:1.1.1c-21.el8_2.2 fixed
RHEL 8.4 AUS	1:1.1.1g-18.el8_4.2 fixed
RHEL 8.6 AUS	1:1.1.1k-15.el8_6 fixed
RHEL 8.6 E4S	1:1.1.1k-15.el8_6 fixed
RHEL 8.6 TUS	1:1.1.1k-15.el8_6 fixed
RHEL 9	1:3.5.1-7.el9_7 fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296

https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb

https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2

https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015

https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535

https://openssl-library.org/news/secadv/20260127.txt

https://cert-portal.siemens.com/productcert/html/ssa-265688.html