Stack buffer overflow vulnerability in OpenSSL - 20260129004¶
Overview¶
The WASOC has become aware of a vulnerbility in OpenSSL that allows remote attackers to exploit stack buffer overflow vulnerability by supplying a crafted Cryptographic Message Syntax (CMS) message with an oversized Initialization Vector (IV) when parsing AuthEnvelopedData structures that use Authenticated Encryption with Associated Data (AEAD) ciphers such as AES-GCM. This can lead to a crash, causing a Denial of Service (DoS), or potentially allow for remote code execution.
What is vulnerable?¶
| Product(s) Affected | Version(s) | CVE | CVSS | Severity |
|---|---|---|---|---|
| OpenSSL Red Hat Enterprise Linux for x86_64 10 x86_64 | CVE-2025-15467 | 9.8 | Critical | |
| Red Hat Enterprise Linux for IBM z Systems 10 s390x | CVE-2025-15467 | 9.8 | Critical | |
| Red Hat Enterprise Linux for Power, little endian 10 ppc64le | CVE-2025-15467 | 9.8 | Critical | |
| Red Hat Enterprise Linux for ARM 64 10 aarch64 | CVE-2025-15467 | 9.8 | Critical |
What has been observed?¶
The WASOC has not received any reports of exploitation of this vulnerability on Western Australian Government networks at the time of writing.
Recommendation¶
The WASOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframes (refer Patch Management):