CVE-2025-69419

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.1.1, 3.0, 3.3, 3.4, 3.5 and 3.6

Description A flaw exists in the handling of maliciously crafted PKCS#12 files when using the PKCS12 get friendlyname() API. Specifically, processing a PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code points can lead to a one-byte write before the allocated buffer. This out-of-bounds write can cause memory corruption, potentially resulting in a Denial of Service. The issue stems from an incorrect capacity calculation within the bmp to utf8() function during the UTF-16 to UTF-8 conversion process, specifically when handling BMP code points above U+07FF. The OPENSSL uni2utf8() function is involved in this conversion. The vulnerability is triggered when parsing attacker-controlled PKCS#12 files via the public PKCS12 get friendlyname() API. The FIPS modules in versions 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected.

Recommendations OpenSSL version 1.1.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.3: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.4: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 3.6: At the moment, there is no information about a newer version that contains a fix for this vulnerability.