Bug 2430386 (CVE-2025-69419)

Summary: CVE-2025-69419 openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: csutherl, cy.schubert, jclere, pjindal, plodge, security-response-team, szappis, vchlup
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in OpenSSL. When processing a specially crafted PKCS#12 (Personal Information Exchange Syntax Standard) file, a remote attacker can exploit an out-of-bounds write vulnerability. This issue, occurring within the OPENSSL_uni2utf8() function, leads to memory corruption by writing data beyond its allocated buffer. Successful exploitation could result in a denial of service or potentially allow for arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-01-27   

Description OSIDB Bzimport 2026-01-16 14:38:12 UTC 
The out-of-bounds write can cause a memory corruption
which can have various consequences including a Denial of Service or
Execution of attacker-supplied code.

The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12
BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,
the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16
source byte count as the destination buffer capacity to UTF8_putc(). For BMP
code points above U+07FF, UTF-8 requires three bytes, but the forwarded
capacity can be just two bytes. UTF8_putc() then returns -1, and this negative
value is added to the output length without validation, causing the
length to become negative. The subsequent trailing NUL byte is then written
at a negative offset, causing write outside of heap allocated buffer.

The vulnerability is reachable via the public PKCS12_get_friendlyname() API
when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a
different code path that avoids this issue, PKCS12_get_friendlyname() directly
invokes the vulnerable function. Exploitation requires an attacker to provide
a malicious PKCS#12 file to be parsed by the application. For that reason the
issue was assessed as Moderate severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

OpenSSL 3.6 users should upgrade to OpenSSL 3.6.1.

OpenSSL 3.5 users should upgrade to OpenSSL 3.5.5.

OpenSSL 3.4 users should upgrade to OpenSSL 3.4.4.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.6.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.19.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1ze
(premium support customers only).
Comment 3 errata-xmlrpc 2026-01-28 08:56:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1472 https://access.redhat.com/errata/RHSA-2026:1472
Comment 4 errata-xmlrpc 2026-01-28 09:54:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1473 https://access.redhat.com/errata/RHSA-2026:1473
Comment 5 errata-xmlrpc 2026-01-28 15:24:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:1496 https://access.redhat.com/errata/RHSA-2026:1496
Comment 6 errata-xmlrpc 2026-01-28 17:02:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1503 https://access.redhat.com/errata/RHSA-2026:1503
Comment 7 errata-xmlrpc 2026-01-29 00:11:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1519 https://access.redhat.com/errata/RHSA-2026:1519
Comment 8 errata-xmlrpc 2026-01-29 17:13:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:1594 https://access.redhat.com/errata/RHSA-2026:1594
Comment 9 errata-xmlrpc 2026-02-02 17:28:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:1733 https://access.redhat.com/errata/RHSA-2026:1733
Comment 10 errata-xmlrpc 2026-02-23 02:00:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:3042 https://access.redhat.com/errata/RHSA-2026:3042
Comment 13 errata-xmlrpc 2026-02-23 19:17:21 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2026:2994 https://access.redhat.com/errata/RHSA-2026:2994
Comment 14 errata-xmlrpc 2026-02-23 19:19:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services 2.4.62.SP3

Via RHSA-2026:2995 https://access.redhat.com/errata/RHSA-2026:2995
Comment 16 errata-xmlrpc 2026-02-25 15:49:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:3364 https://access.redhat.com/errata/RHSA-2026:3364
Comment 17 errata-xmlrpc 2026-02-26 14:35:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:3437 https://access.redhat.com/errata/RHSA-2026:3437
Comment 19 errata-xmlrpc 2026-03-10 08:27:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:4163 https://access.redhat.com/errata/RHSA-2026:4163
Comment 20 errata-xmlrpc 2026-03-10 17:56:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:4214 https://access.redhat.com/errata/RHSA-2026:4214
Comment 21 errata-xmlrpc 2026-03-12 02:48:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2026:3861 https://access.redhat.com/errata/RHSA-2026:3861
Comment 22 errata-xmlrpc 2026-03-12 15:28:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:4472 https://access.redhat.com/errata/RHSA-2026:4472
Comment 23 errata-xmlrpc 2026-03-17 17:56:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:4825 https://access.redhat.com/errata/RHSA-2026:4825
Comment 24 errata-xmlrpc 2026-03-17 18:07:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:4824 https://access.redhat.com/errata/RHSA-2026:4824
Comment 25 errata-xmlrpc 2026-03-23 01:28:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:5217 https://access.redhat.com/errata/RHSA-2026:5217
Comment 26 errata-xmlrpc 2026-03-23 01:39:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:5214 https://access.redhat.com/errata/RHSA-2026:5214
Comment 27 errata-xmlrpc 2026-04-02 14:06:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:5873 https://access.redhat.com/errata/RHSA-2026:5873
Comment 28 errata-xmlrpc 2026-04-16 10:24:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2026:7239 https://access.redhat.com/errata/RHSA-2026:7239
Comment 33 errata-xmlrpc 2026-05-13 13:54:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2026:15087 https://access.redhat.com/errata/RHSA-2026:15087
Comment 34 errata-xmlrpc 2026-05-13 14:16:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2026:14773 https://access.redhat.com/errata/RHSA-2026:14773
Comment 37 errata-xmlrpc 2026-05-19 18:00:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19187 https://access.redhat.com/errata/RHSA-2026:19187