2430387 – (CVE-2025-69421) CVE-2025-69421 openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing

Bug 2430387 (CVE-2025-69421) - CVE-2025-69421 openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing

Summary: CVE-2025-69421 openssl: OpenSSL: Denial of Service via malformed PKCS#12 file...

Keywords:
Status:	NEW
Alias:	CVE-2025-69421
Deadline:	2026-01-27
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-16 14:42 UTC by OSIDB Bzimport
Modified:	2026-02-23 22:59 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2026:1601	None	None	None	2026-01-29 20:11:04 UTC
Red Hat Product Errata	RHBA-2026:1605	None	None	None	2026-01-29 22:38:43 UTC
Red Hat Product Errata	RHBA-2026:1875	None	None	None	2026-02-04 04:58:35 UTC
Red Hat Product Errata	RHSA-2026:1472	None	None	None	2026-01-28 08:56:43 UTC
Red Hat Product Errata	RHSA-2026:1473	None	None	None	2026-01-28 09:54:14 UTC

Description OSIDB Bzimport 2026-01-16 14:42:32 UTC

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer
dereference in the PKCS12_item_decrypt_d2i_ex() function.

Impact summary: A NULL pointer dereference can trigger a crash which leads to
Denial of Service for an application processing PKCS#12 files.

The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct
parameter is NULL before dereferencing it. When called from
PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can
be NULL, causing a crash. The vulnerability is limited to Denial of Service
and cannot be escalated to achieve code execution or memory disclosure.

Exploiting this issue requires an attacker to provide a malformed PKCS#12 file
to an application that processes it. For that reason the issue was assessed as
Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,
as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.6 users should upgrade to OpenSSL 3.6.1.

OpenSSL 3.5 users should upgrade to OpenSSL 3.5.5.

OpenSSL 3.4 users should upgrade to OpenSSL 3.4.4.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.6.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.19.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1ze
(premium support customers only).

OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zn
(premium support customers only).

Comment 2 errata-xmlrpc 2026-01-28 08:56:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1472 https://access.redhat.com/errata/RHSA-2026:1472

Comment 3 errata-xmlrpc 2026-01-28 09:54:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1473 https://access.redhat.com/errata/RHSA-2026:1473

Note You need to log in before you can comment on or make changes to this bug.