CVE-2025-69419

{"id": "CVE-2025-69419", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}]}, "published": "2026-01-27T16:16:34.113", "references": [{"url": "https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/7e9cac9832e4705b91987c2474ed06a37a93cecb", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/a26a90d38edec3748566129d824e664b54bee2e2", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/cda12de3bc0e333ea8d2c6fd15001dbdaf280015", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/ff628933755075446bca8307e8417c14d164b535", "tags": ["Patch"], "source": "openssl-security@openssl.org"}, {"url": "https://openssl-library.org/news/secadv/20260127.txt", "tags": ["Vendor Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "openssl-security@openssl.org", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously\ncrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing\nnon-ASCII BMP code point can trigger a one byte write before the allocated\nbuffer.\n\nImpact summary: The out-of-bounds write can cause a memory corruption\nwhich can have various consequences including a Denial of Service.\n\nThe OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12\nBMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,\nthe helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16\nsource byte count as the destination buffer capacity to UTF8_putc(). For BMP\ncode points above U+07FF, UTF-8 requires three bytes, but the forwarded\ncapacity can be just two bytes. UTF8_putc() then returns -1, and this negative\nvalue is added to the output length without validation, causing the\nlength to become negative. The subsequent trailing NUL byte is then written\nat a negative offset, causing write outside of heap allocated buffer.\n\nThe vulnerability is reachable via the public PKCS12_get_friendlyname() API\nwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a\ndifferent code path that avoids this issue, PKCS12_get_friendlyname() directly\ninvokes the vulnerable function. Exploitation requires an attacker to provide\na malicious PKCS#12 file to be parsed by the application and the attacker\ncan just trigger a one zero byte write before the allocated buffer.\nFor that reason the issue was assessed as Low severity according to our\nSecurity Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue."}, {"lang": "es", "value": "Resumen del problema: Llamar a la funci\u00f3n PKCS12_get_friendlyname() en un archivo PKCS#12 creado maliciosamente con un nombre descriptivo BMPString (UTF-16BE) que contiene un punto de c\u00f3digo BMP no ASCII puede desencadenar una escritura de un byte antes del b\u00fafer asignado.\n\nResumen del impacto: La escritura fuera de l\u00edmites puede causar una corrupci\u00f3n de memoria que puede tener varias consecuencias, incluyendo una denegaci\u00f3n de servicio.\n\nLa funci\u00f3n OPENSSL_uni2utf8() realiza una conversi\u00f3n en dos pasadas de un BMPString (UTF-16BE) de PKCS#12 a UTF-8. En la segunda pasada, al emitir bytes UTF-8, la funci\u00f3n auxiliar bmp_to_utf8() reenv\u00eda incorrectamente el recuento de bytes fuente UTF-16 restantes como la capacidad del b\u00fafer de destino a UTF8_putc(). Para puntos de c\u00f3digo BMP superiores a U+07FF, UTF-8 requiere tres bytes, pero la capacidad reenviada puede ser de solo dos bytes. UTF8_putc() luego devuelve -1, y este valor negativo se a\u00f1ade a la longitud de salida sin validaci\u00f3n, haciendo que la longitud se vuelva negativa. El subsiguiente byte NUL final se escribe entonces en un desplazamiento negativo, causando una escritura fuera del b\u00fafer asignado en el heap.\n\nLa vulnerabilidad es alcanzable a trav\u00e9s de la API p\u00fablica PKCS12_get_friendlyname() al analizar archivos PKCS#12 controlados por el atacante. Si bien PKCS12_parse() utiliza una ruta de c\u00f3digo diferente que evita este problema, PKCS12_get_friendlyname() invoca directamente la funci\u00f3n vulnerable. La explotaci\u00f3n requiere que un atacante proporcione un archivo PKCS#12 malicioso para ser analizado por la aplicaci\u00f3n y el atacante puede simplemente desencadenar una escritura de un byte cero antes del b\u00fafer asignado. Por esa raz\u00f3n, el problema fue evaluado como de baja severidad seg\u00fan nuestra Pol\u00edtica de Seguridad.\n\nLos m\u00f3dulos FIPS en 3.6, 3.5, 3.4, 3.3 y 3.0 no se ven afectados por este problema, ya que la implementaci\u00f3n de PKCS#12 est\u00e1 fuera del l\u00edmite del m\u00f3dulo FIPS de OpenSSL.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 y 1.1.1 son vulnerables a este problema.\n\nOpenSSL 1.0.2 no se ve afectado por este problema."}], "lastModified": "2026-05-12T13:17:26.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E000B986-6A31-468F-9EA3-B9D16DB16FB2", "versionEndExcluding": "1.1.1ze", "versionStartIncluding": "1.1.1"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C76C5F55-5243-4461-82F5-2FEBFF4D59FA", "versionEndExcluding": "3.0.19", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5292E9E-6B50-409F-9219-7B0A04047AD8", "versionEndExcluding": "3.3.6", "versionStartIncluding": "3.3.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9D3DCAE-317D-4DFB-93F0-7A235A229619", "versionEndExcluding": "3.4.4", "versionStartIncluding": "3.4.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CAC7CBE-EC03-4089-938A-0CEEB2E09B62", "versionEndExcluding": "3.5.5", "versionStartIncluding": "3.5.0"}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68352537-5E99-4F4D-B78A-BCF0353A70A5", "versionEndExcluding": "3.6.1", "versionStartIncluding": "3.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "openssl-security@openssl.org"}