CVE-2025-69421

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.2 through 3.6 OpenSSL version 1.1.1

Description A malformed PKCS#12 file can cause a NULL pointer dereference in the

PKCS12 item decrypt d2i ex()

function. This can lead to a denial of service, causing an application crash when processing PKCS#12 files. The issue occurs because the

PKCS12 item decrypt d2i ex()

function does not validate if the

oct

parameter is NULL before dereferencing it. When called from

PKCS12 unpack p7encdata()

with a crafted PKCS#12 file, this parameter can be NULL, resulting in a crash. The vulnerability is limited to denial of service and cannot be used for code execution or memory disclosure. Exploitation requires an attacker to provide a malformed PKCS#12 file to an application that processes it.

Recommendations OpenSSL version 1.0.2: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 1.1.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL versions 3.0 through 3.6: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

CVE-2025-69421

Affected Products

Openssl 1.0.2

Openssl 1.1.1

Openssl 3.0

Openssl 3.1

Openssl 3.2

Openssl 3.3

Openssl 3.4

Openssl 3.5

Openssl 3.6

CVE-2025-69421

Weakness Enumeration

Related Identifiers

Affected Products

References · 10