CVE-2025-15467

*** Pendiente de traducción *** Issue summary: Parsing CMS AuthEnvelopedData message with maliciously<br /> crafted AEAD parameters can trigger a stack buffer overflow.<br /> <br /> Impact summary: A stack buffer overflow may lead to a crash, causing Denial<br /> of Service, or potentially remote code execution.<br /> <br /> When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as<br /> AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is<br /> copied into a fixed-size stack buffer without verifying that its length fits<br /> the destination. An attacker can supply a crafted CMS message with an<br /> oversized IV, causing a stack-based out-of-bounds write before any<br /> authentication or tag verification occurs.<br /> <br /> Applications and services that parse untrusted CMS or PKCS#7 content using<br /> AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.<br /> Because the overflow occurs prior to authentication, no valid key material<br /> is required to trigger it. While exploitability to remote code execution<br /> depends on platform and toolchain mitigations, the stack-based write<br /> primitive represents a severe risk.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this<br /> issue, as the CMS implementation is outside the OpenSSL FIPS module<br /> boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.<br /> <br /> OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.