CVE-2025-69421

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.2 through 3.6 OpenSSL version 1.1.1

Description A malformed PKCS#12 file can cause a NULL pointer dereference in the PKCS12 item decrypt d2i ex() function. This can lead to a denial of service, causing an application crash when processing PKCS#12 files. The issue occurs because the PKCS12 item decrypt d2i ex() function does not validate if the oct parameter is NULL before dereferencing it. When called from PKCS12 unpack p7encdata() with a crafted PKCS#12 file, this parameter can be NULL, resulting in a crash. The vulnerability is limited to denial of service and cannot be used for code execution or memory disclosure. Exploitation requires an attacker to provide a malformed PKCS#12 file to an application that processes it.

Recommendations OpenSSL version 1.0.2: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL version 1.1.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenSSL versions 3.0 through 3.6: At the moment, there is no information about a newer version that contains a fix for this vulnerability.