CVE-2025-15469

Issue summary: The &amp;#39;openssl dgst&amp;#39; command-line tool silently truncates input<br /> data to 16MB when using one-shot signing algorithms and reports success instead<br /> of an error.<br /> <br /> Impact summary: A user signing or verifying files larger than 16MB with<br /> one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire<br /> file is authenticated while trailing data beyond 16MB remains unauthenticated.<br /> <br /> When the &amp;#39;openssl dgst&amp;#39; command is used with algorithms that only support<br /> one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input<br /> is buffered with a 16MB limit. If the input exceeds this limit, the tool<br /> silently truncates to the first 16MB and continues without signaling an error,<br /> contrary to what the documentation states. This creates an integrity gap where<br /> trailing bytes can be modified without detection if both signing and<br /> verification are performed using the same affected codepath.<br /> <br /> The issue affects only the command-line tool behavior. Verifiers that process<br /> the full message using library APIs will reject the signature, so the risk<br /> primarily affects workflows that both sign and verify with the affected<br /> &amp;#39;openssl dgst&amp;#39; command. Streaming digest algorithms for &amp;#39;openssl dgst&amp;#39; and<br /> library users are unaffected.<br /> <br /> The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the<br /> command-line tools are outside the OpenSSL FIPS module boundary.<br /> <br /> OpenSSL 3.5 and 3.6 are vulnerable to this issue.<br /> <br /> OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.