another critical bug in OpenSSL

JWx 3 days ago

It seems that we have another remote code execution in recent OpenSSL versions (CVE-2025-15467), this time in AEAD component.

Debian advisory is here. From openssl advisory it seems that it mainly affects less popular use-cases

Applications and services that parse untrusted CMS or PKCS#7 content using
AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.
Because the overflow occurs prior to authentication, no valid key material
is required to trigger it. While exploitability to remote code execution
depends on platform and toolchain mitigations, the stack-based write
primitive represents a severe risk.

Top Replies

cstanton 3 days ago +1

Oh, joy. I wonder how many people who run single board computers and other such embedded tools keep track of issues such as these?

cstanton 3 days ago

Oh, joy.

I wonder how many people who run single board computers and other such embedded tools keep track of issues such as these?
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
JWx 2 days ago in reply to cstanton

Fortunately this one seems (for now) to not include TLS, which would render many SSL enabled devices in need of update...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
JWx 2 days ago in reply to JWx

btw - I wanted to place this in "software" but couldn't find a mean to add something there, so I placed it one level up
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel