CVE-2025-69419

CVE-2025-69419

Name

CVE-2025-69419

Description

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015
openssl-security@openssl.org	https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535
openssl-security@openssl.org	https://openssl-library.org/news/secadv/20260127.txt

Type

URI

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015

openssl-security@openssl.org

https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535

openssl-security@openssl.org

https://openssl-library.org/news/secadv/20260127.txt

Match rules

CPE URI	Source package	Min version	Max version
`None`	openssl	>= 3.4.0	< 3.4.4
`None`	openssl	>= 3.5.0	< 3.5.5
`None`	openssl	>= 3.6.0	< 3.6.1
`None`	openssl	>= 3.3.0	< 3.3.6
`None`	openssl	>= 3.0.0	< 3.0.19
`cpe:2.3:a:openssl:openssl::::::::`	openssl	>= 1.1.1	< 1.1.1ze

CPE URI

Source package

Min version

Max version

None

openssl

>= 3.4.0

< 3.4.4

None

openssl

>= 3.5.0

< 3.5.5

None

openssl

>= 3.6.0

< 3.6.1

None

openssl

>= 3.3.0

< 3.3.6

None

openssl

>= 3.0.0

< 3.0.19

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

openssl

>= 1.1.1

< 1.1.1ze

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openssl	edge-main	3.5.5-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
openssl	edge-main	3.5.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.5.3-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.5.3-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.5.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.5.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.5.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.5.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.2-r6	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.2-r5	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.2-r4	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.2-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.1-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.1-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.1-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.0-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.3.0-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	edge-main	3.0.8-r0	Ariadne Conill <ariadne@dereferenced.org>	possibly vulnerable
openssl	edge-main	3.0.7-r2	Ariadne Conill <ariadne@dereferenced.org>	possibly vulnerable
openssl	edge-main	3.0.7-r0	Ariadne Conill <ariadne@dereferenced.org>	possibly vulnerable
openssl	edge-main	3.0.6-r0	Ariadne Conill <ariadne@dereferenced.org>	possibly vulnerable
openssl	edge-main	3.0.5-r0	None	possibly vulnerable
openssl	edge-main	3.0.3-r0	None	possibly vulnerable
openssl	edge-main	3.0.2-r0	None	possibly vulnerable
openssl	edge-main	3.0.1-r0	None	possibly vulnerable
openssl	edge-main	1.1.1q-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
openssl	edge-main	1.1.1o-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
openssl	edge-main	1.1.1n-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
openssl	edge-main	1.1.1l-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
openssl	edge-main	1.1.1k-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
openssl	edge-main	1.1.1j-r0	None	possibly vulnerable
openssl	edge-main	1.1.1i-r0	None	possibly vulnerable
openssl	edge-main	1.1.1g-r0	None	possibly vulnerable
openssl	edge-main	1.1.1d-r3	None	possibly vulnerable
openssl	edge-main	1.1.1d-r1	None	possibly vulnerable
openssl	edge-main	1.1.1b-r1	None	possibly vulnerable
openssl	edge-main	1.1.1a-r0	None	possibly vulnerable
openssl	3.23-main	3.5.5-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
openssl	3.23-main	3.5.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.22-main	3.5.5-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
openssl	3.22-main	3.5.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.22-main	3.5.3-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.22-main	3.5.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.22-main	3.5.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.22-main	3.5.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.22-main	3.5.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.22-main	3.3.3-r0	None	possibly vulnerable
openssl	3.22-main	3.3.2-r5	None	possibly vulnerable
openssl	3.22-main	3.3.2-r3	None	possibly vulnerable
openssl	3.22-main	3.3.2-r0	None	possibly vulnerable
openssl	3.22-main	3.3.1-r1	None	possibly vulnerable
openssl	3.22-main	3.3.0-r3	None	possibly vulnerable
openssl	3.22-main	3.3.0-r2	None	possibly vulnerable
openssl	3.22-main	3.0.8-r0	None	possibly vulnerable
openssl	3.22-main	3.0.7-r2	None	possibly vulnerable
openssl	3.22-main	3.0.7-r0	None	possibly vulnerable
openssl	3.22-main	3.0.6-r0	None	possibly vulnerable
openssl	3.22-main	3.0.5-r0	None	possibly vulnerable
openssl	3.22-main	3.0.3-r0	None	possibly vulnerable
openssl	3.22-main	3.0.2-r0	None	possibly vulnerable
openssl	3.22-main	3.0.1-r0	None	possibly vulnerable
openssl	3.22-main	1.1.1l-r0	None	possibly vulnerable
openssl	3.22-main	1.1.1k-r0	None	possibly vulnerable
openssl	3.22-main	1.1.1j-r0	None	possibly vulnerable
openssl	3.22-main	1.1.1i-r0	None	possibly vulnerable
openssl	3.22-main	1.1.1g-r0	None	possibly vulnerable
openssl	3.22-main	1.1.1d-r3	None	possibly vulnerable
openssl	3.22-main	1.1.1d-r1	None	possibly vulnerable
openssl	3.22-main	1.1.1b-r1	None	possibly vulnerable
openssl	3.22-main	1.1.1a-r0	None	possibly vulnerable
openssl	3.21-main	3.3.6-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
openssl	3.21-main	3.3.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.21-main	3.3.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.21-main	3.3.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.21-main	3.3.2-r6	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.21-main	3.3.2-r5	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.21-main	3.3.2-r4	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.21-main	3.3.2-r3	None	possibly vulnerable
openssl	3.21-main	3.3.2-r0	None	possibly vulnerable
openssl	3.21-main	3.3.1-r1	None	possibly vulnerable
openssl	3.21-main	3.3.0-r3	None	possibly vulnerable
openssl	3.21-main	3.3.0-r2	None	possibly vulnerable
openssl	3.21-main	3.0.8-r0	None	possibly vulnerable
openssl	3.21-main	3.0.7-r2	None	possibly vulnerable
openssl	3.21-main	3.0.7-r0	None	possibly vulnerable
openssl	3.21-main	3.0.6-r0	None	possibly vulnerable
openssl	3.21-main	3.0.5-r0	None	possibly vulnerable
openssl	3.21-main	3.0.3-r0	None	possibly vulnerable
openssl	3.21-main	3.0.2-r0	None	possibly vulnerable
openssl	3.21-main	3.0.1-r0	None	possibly vulnerable
openssl	3.21-main	1.1.1l-r0	None	possibly vulnerable
openssl	3.21-main	1.1.1k-r0	None	possibly vulnerable
openssl	3.21-main	1.1.1j-r0	None	possibly vulnerable
openssl	3.21-main	1.1.1i-r0	None	possibly vulnerable
openssl	3.21-main	1.1.1g-r0	None	possibly vulnerable
openssl	3.21-main	1.1.1d-r3	None	possibly vulnerable
openssl	3.21-main	1.1.1d-r1	None	possibly vulnerable
openssl	3.21-main	1.1.1b-r1	None	possibly vulnerable
openssl	3.21-main	1.1.1a-r0	None	possibly vulnerable
openssl	3.20-main	3.3.6-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
openssl	3.20-main	3.3.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.3.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.3.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.3.2-r3	None	possibly vulnerable
openssl	3.20-main	3.3.2-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.3.2-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.3.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.3.1-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.3.1-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.3.0-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.3.0-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
openssl	3.20-main	3.0.8-r0	None	possibly vulnerable
openssl	3.20-main	3.0.7-r2	None	possibly vulnerable
openssl	3.20-main	3.0.7-r0	None	possibly vulnerable
openssl	3.20-main	3.0.6-r0	None	possibly vulnerable
openssl	3.20-main	3.0.5-r0	None	possibly vulnerable
openssl	3.20-main	3.0.3-r0	None	possibly vulnerable
openssl	3.20-main	3.0.2-r0	None	possibly vulnerable
openssl	3.20-main	3.0.1-r0	None	possibly vulnerable
openssl	3.20-main	1.1.1l-r0	None	possibly vulnerable
openssl	3.20-main	1.1.1k-r0	None	possibly vulnerable
openssl	3.20-main	1.1.1j-r0	None	possibly vulnerable
openssl	3.20-main	1.1.1i-r0	None	possibly vulnerable
openssl	3.20-main	1.1.1g-r0	None	possibly vulnerable
openssl	3.20-main	1.1.1d-r3	None	possibly vulnerable
openssl	3.20-main	1.1.1d-r1	None	possibly vulnerable
openssl	3.20-main	1.1.1b-r1	None	possibly vulnerable
openssl	3.20-main	1.1.1a-r0	None	possibly vulnerable
openssl	3.19-main	3.0.8-r0	None	possibly vulnerable
openssl	3.19-main	3.0.7-r2	None	possibly vulnerable
openssl	3.19-main	3.0.7-r0	None	possibly vulnerable
openssl	3.19-main	3.0.6-r0	None	possibly vulnerable
openssl	3.19-main	3.0.5-r0	None	possibly vulnerable
openssl	3.19-main	3.0.3-r0	None	possibly vulnerable
openssl	3.19-main	3.0.2-r0	None	possibly vulnerable
openssl	3.19-main	3.0.1-r0	None	possibly vulnerable
openssl	3.19-main	1.1.1l-r0	None	possibly vulnerable
openssl	3.19-main	1.1.1k-r0	None	possibly vulnerable
openssl	3.19-main	1.1.1j-r0	None	possibly vulnerable
openssl	3.19-main	1.1.1i-r0	None	possibly vulnerable
openssl	3.19-main	1.1.1g-r0	None	possibly vulnerable
openssl	3.19-main	1.1.1d-r3	None	possibly vulnerable
openssl	3.19-main	1.1.1d-r1	None	possibly vulnerable
openssl	3.19-main	1.1.1b-r1	None	possibly vulnerable
openssl	3.19-main	1.1.1a-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages