Vulnerability-Lookup

VDE-2026-029

Vulnerability from csaf_mettlertoledogmbh - Published: 2026-04-23 10:00 - Updated: 2026-04-23 10:00

Summary

METTLER TOLEDO: OpenSSL vulnerability in MX and MR balances

Severity

Medium

Notes

Summary: MX/MR firmware V2.0.0 or earlier is affected by the OpenSSL vulnerability CVE-2025-15467.

Impact: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.

Remediation: Update MX/MR firmware to version 2.1.0

Disclaimer: Your use of the information on this document or materials linked from this document is at your own risk. METTLER TOLEDO makes reasonable efforts to ensure the accuracy of the information but does not grant any warranty, express or implied, including warranties of merchantability or fitness for a particular purpose. To the extent permitted by applicable law, METTLER TOLEDO excludes liability for any loss, claim, expense or damage arising from or related to the statements in this document. METTLER TOLEDO reserves the right to change or update this document at any time.

CVE-2025-15467

Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Vulnerability potentially exploitable with manipulated SW upgrade package on USB memory. The vulnerability is fixed in openssl debian package 3.0.18-1~deb12u2. In the device context, there are deviations from the original CVSS assessment. Attack vector is set to 'local' because firmware upgrades are only possible though an attached USB memory, not through the network.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-787 - Out-of-bounds Write

Vendor Fix Update MX Firmware to version 2.1.0

Vendor Fix Update MR Firmware to version 2.1.0

Vendor Fix Vulnerable debian openssl package shall be updated to openssl package version 3.0.18-1~deb12u2

References

URL

Category

	https://www.mt.com/ph/en/home/site_content/produc…	external
	https://certvde.com/en/advisories/vendor/mettler-…	external
	https://certvde.com/en/advisories/VDE-2026-029/	self
	https://mettler-toledo.csaf-tp.certvde.com/.well-…	self

Acknowledgments

CERT@VDE certvde.com

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "Medium"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "MX/MR firmware V2.0.0 or earlier is affected by the OpenSSL vulnerability CVE-2025-15467.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Update MX/MR firmware to version 2.1.0",
        "title": "Remediation"
      },
      {
        "category": "legal_disclaimer",
        "text": "Your use of the information on this document or materials linked from this document is at your own risk. METTLER TOLEDO makes reasonable efforts to ensure the accuracy of the information but does not grant any warranty, express or implied, including warranties of merchantability or fitness for a particular purpose. To the extent permitted by applicable law, METTLER TOLEDO excludes liability for any loss, claim, expense or damage arising from or related to the statements in this document. METTLER TOLEDO reserves the right to change or update this document at any time.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@mt.com",
      "name": "Mettler-Toledo GmbH",
      "namespace": "https://www.mt.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "Product security website of METTLER TOLEDO",
        "url": "https://www.mt.com/ph/en/home/site_content/product-security.html"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for METTLER TOLEDO",
        "url": "https://certvde.com/en/advisories/vendor/mettler-toledo/"
      },
      {
        "category": "self",
        "summary": "VDE-2026-029: METTLER TOLEDO: OpenSSL vulnerability in MX and MR balances - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2026-029/"
      },
      {
        "category": "self",
        "summary": "VDE-2026-029: METTLER TOLEDO: OpenSSL vulnerability in MX and MR balances - CSAF",
        "url": "https://mettler-toledo.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-029.json"
      }
    ],
    "title": "METTLER TOLEDO: OpenSSL vulnerability in MX and MR balances",
    "tracking": {
      "aliases": [
        "VDE-2026-029"
      ],
      "current_release_date": "2026-04-23T10:00:00.000Z",
      "generator": {
        "date": "2026-04-23T10:41:48.109Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.44"
        }
      },
      "id": "VDE-2026-029",
      "initial_release_date": "2026-04-23T10:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-04-23T10:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "MX balance",
                "product": {
                  "name": "MX balance",
                  "product_id": "CSAFPID-11000",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:h:mettler_toledo:mx_balance:*:*:*:*:*:*:*:*",
                    "model_numbers": [
                      "MX*"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "MR balance",
                "product": {
                  "name": "MR balance",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:h:mettler_toledo:mr_balance:*:*:*:*:*:*:*:*",
                    "model_numbers": [
                      "MR*"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.1.0",
                "product": {
                  "name": "Firmware V2.1.0",
                  "product_id": "CSAFPID-22000"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:generic/\u003c2.1.0",
                "product": {
                  "name": "Firmware \u003c2.1.0",
                  "product_id": "CSAFPID-21000"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "METTLER TOLEDO"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0.18-1~deb12u1",
                "product": {
                  "name": "openssl 3.0.18-1~deb12u1",
                  "product_id": "CSAFPID-51002",
                  "product_identification_helper": {
                    "purl": "pkg:deb/debian/openssl@3.0.18-1~deb12u1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "3.0.18-1~deb12u2",
                "product": {
                  "name": "openssl 3.0.18-1~deb12u2",
                  "product_id": "CSAFPID-52002",
                  "product_identification_helper": {
                    "purl": "pkg:deb/debian/openssl@3.0.18-1~deb12u2"
                  }
                }
              }
            ],
            "category": "service_pack",
            "name": "openssl debian package"
          }
        ],
        "category": "vendor",
        "name": "Debian Project"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c2.1.0 installed on MX balance",
          "product_id": "CSAFPID-31000"
        },
        "product_reference": "CSAFPID-21000",
        "relates_to_product_reference": "CSAFPID-11000"
      },
      {
        "category": "installed_with",
        "full_product_name": {
          "name": "Firmware \u003c2.1.0 installed on MR balance",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21000",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware V2.1.0 installed on MX balance",
          "product_id": "CSAFPID-32000",
          "product_identification_helper": {
            "cpe": "cpe:2.3:o:mettler_toledo:mx_balance_firmware:2.1.0:*:*:*:*:*:*:*"
          }
        },
        "product_reference": "CSAFPID-22000",
        "relates_to_product_reference": "CSAFPID-11000"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware V2.1.0 installed on MR balance",
          "product_id": "CSAFPID-32001",
          "product_identification_helper": {
            "cpe": "cpe:2.3:o:mettler_toledo:mr_balance_firmware:2.1.0:*:*:*:*:*:*:*"
          }
        },
        "product_reference": "CSAFPID-22000",
        "relates_to_product_reference": "CSAFPID-11001"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-15467",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.",
          "title": "CVE Description"
        },
        {
          "audience": "operational management and system administrators",
          "category": "description",
          "text": "Vulnerability potentially exploitable with manipulated SW upgrade package on USB memory.\nThe vulnerability is fixed in openssl debian package 3.0.18-1~deb12u2.\n\nIn the device context, there are deviations from the original CVSS assessment. Attack vector is set to \u0027local\u0027 because firmware upgrades are only possible though an attached USB memory, not through the network.",
          "title": "Vulnerability Characterisation"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32000",
          "CSAFPID-32001",
          "CSAFPID-52002"
        ],
        "known_affected": [
          "CSAFPID-31000",
          "CSAFPID-31001",
          "CSAFPID-51002"
        ],
        "recommended": [
          "CSAFPID-32000",
          "CSAFPID-32001",
          "CSAFPID-52002"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update MX Firmware to version 2.1.0",
          "product_ids": [
            "CSAFPID-31000"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Update MR Firmware to version 2.1.0",
          "product_ids": [
            "CSAFPID-31001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Vulnerable debian openssl package shall be updated to openssl package version \t3.0.18-1~deb12u2 ",
          "product_ids": [
            "CSAFPID-51002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51002"
          ]
        },
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31000",
            "CSAFPID-31001"
          ]
        }
      ],
      "title": "OpenSSL vulnerability affecting SW upgrade packages"
    }
  ]
}

CVE-2025-15467 (GCVE-0-2025-15467)

Vulnerability from cvelistv5 – Published: 2026-01-27 16:01 – Updated: 2026-03-20 03:55

Title

Stack buffer overflow in CMS (Auth)EnvelopedData parsing

Summary

Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

Severity ?

No CVSS data available.

CWE

CWE-787 - Out-of-bounds Write

Assigner

openssl

References

URL

Tags

	https://openssl-library.org/news/secadv/20260127.txt	vendor-advisory
	https://github.com/openssl/openssl/commit/2c8f0e5…	patch
	https://github.com/openssl/openssl/commit/d0071a0…	patch
	https://github.com/openssl/openssl/commit/6ced0fe…	patch
	https://github.com/openssl/openssl/commit/5f26d42…	patch
	https://github.com/openssl/openssl/commit/ce39170…	patch

Impacted products

	Vendor	Product	Version
	OpenSSL	OpenSSL	Affected: 3.6.0 , < 3.6.1 (semver) Affected: 3.5.0 , < 3.5.5 (semver) Affected: 3.4.0 , < 3.4.4 (semver) Affected: 3.3.0 , < 3.3.6 (semver) Affected: 3.0.0 , < 3.0.19 (semver)

Date Public ?

2026-01-27 14:00

Credits

Stanislav Fort (Aisle Research) Igor Ustinov

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-02-25T21:10:03.795Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/27/10"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/02/25/6"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-15467",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-19T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T03:55:41.609Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/guiimoraes/CVE-2025-15467"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "3.6.1",
              "status": "affected",
              "version": "3.6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.5.5",
              "status": "affected",
              "version": "3.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.4.4",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.3.6",
              "status": "affected",
              "version": "3.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.19",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Stanislav Fort (Aisle Research)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Igor Ustinov"
        }
      ],
      "datePublic": "2026-01-27T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with\u003cbr\u003emaliciously crafted AEAD parameters can trigger a stack buffer overflow.\u003cbr\u003e\u003cbr\u003eImpact summary: A stack buffer overflow may lead to a crash, causing Denial\u003cbr\u003eof Service, or potentially remote code execution.\u003cbr\u003e\u003cbr\u003eWhen parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as\u003cbr\u003eAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is\u003cbr\u003ecopied into a fixed-size stack buffer without verifying that its length fits\u003cbr\u003ethe destination. An attacker can supply a crafted CMS message with an\u003cbr\u003eoversized IV, causing a stack-based out-of-bounds write before any\u003cbr\u003eauthentication or tag verification occurs.\u003cbr\u003e\u003cbr\u003eApplications and services that parse untrusted CMS or PKCS#7 content using\u003cbr\u003eAEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.\u003cbr\u003eBecause the overflow occurs prior to authentication, no valid key material\u003cbr\u003eis required to trigger it. While exploitability to remote code execution\u003cbr\u003edepends on platform and toolchain mitigations, the stack-based write\u003cbr\u003eprimitive represents a severe risk.\u003cbr\u003e\u003cbr\u003eThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\u003cbr\u003eissue, as the CMS implementation is outside the OpenSSL FIPS module\u003cbr\u003eboundary.\u003cbr\u003e\u003cbr\u003eOpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.\u003cbr\u003e\u003cbr\u003eOpenSSL 1.1.1 and 1.0.2 are not affected by this issue."
            }
          ],
          "value": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with\nmaliciously crafted AEAD parameters can trigger a stack buffer overflow.\n\nImpact summary: A stack buffer overflow may lead to a crash, causing Denial\nof Service, or potentially remote code execution.\n\nWhen parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as\nAES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is\ncopied into a fixed-size stack buffer without verifying that its length fits\nthe destination. An attacker can supply a crafted CMS message with an\noversized IV, causing a stack-based out-of-bounds write before any\nauthentication or tag verification occurs.\n\nApplications and services that parse untrusted CMS or PKCS#7 content using\nAEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.\nBecause the overflow occurs prior to authentication, no valid key material\nis required to trigger it. While exploitability to remote code execution\ndepends on platform and toolchain mitigations, the stack-based write\nprimitive represents a severe risk.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this\nissue, as the CMS implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.\n\nOpenSSL 1.1.1 and 1.0.2 are not affected by this issue."
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "High"
            },
            "type": "https://openssl-library.org/policies/general/security-policy/"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T17:44:51.846Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://openssl-library.org/news/secadv/20260127.txt"
        },
        {
          "name": "3.6.1 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/2c8f0e5fa9b6ee5508a0349e4572ddb74db5a703"
        },
        {
          "name": "3.5.5 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/d0071a0799f20cc8101730145349ed4487c268dc"
        },
        {
          "name": "3.4.4 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/6ced0fe6b10faa560e410e3ee8d6c82f06c65ea3"
        },
        {
          "name": "3.3.6 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/5f26d4202f5b89664c5c3f3c62086276026ba9a9"
        },
        {
          "name": "3.0.19 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Stack buffer overflow in CMS (Auth)EnvelopedData parsing",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2025-15467",
    "datePublished": "2026-01-27T16:01:19.922Z",
    "dateReserved": "2026-01-06T09:26:41.631Z",
    "dateUpdated": "2026-03-20T03:55:41.609Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

VDE-2026-029

CVE-2025-15467 (GCVE-0-2025-15467)

Tags

Sightings

Nomenclature